Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY

author: Ivo Roylev <ivo.roylev@oracle.com> 2018-06-14 17:27:54 +0300
committer: Ivo Roylev <ivo.roylev@oracle.com> 2018-06-14 17:27:54 +0300
commit: cad692f919493e2176d52984415561496e13833d (patch)
tree: 554ec8a7962cd6524416048325bb235906751d56
parent: 7b2f4b82ea4dd8a63c2806c452b319f26493206c (diff)
download: mariadb-git-cad692f919493e2176d52984415561496e13833d.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index 3247fd8e339..7938403db59 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
     {
       uchar *pos;
       /* fields count may be wrong */
-      DBUG_ASSERT((uint) (field - result) < fields);
+      if (field < result || (uint) (field - result) >= fields)
+        DBUG_RETURN(NULL);
       cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
       field->catalog=   strmake_root(alloc,(char*) row->data[0], lengths[0]);
       field->db=        strmake_root(alloc,(char*) row->data[1], lengths[1]);
@@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
 
   if ((pkt_len= cli_safe_read(mysql)) == packet_error)
     DBUG_RETURN(0);
+  if (pkt_len == 0) DBUG_RETURN(0);
   if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA),
 				       MYF(MY_WME | MY_ZEROFILL))))
   {
author	Ivo Roylev <ivo.roylev@oracle.com>	2018-06-14 17:27:54 +0300
committer	Ivo Roylev <ivo.roylev@oracle.com>	2018-06-14 17:27:54 +0300
commit	cad692f919493e2176d52984415561496e13833d (patch)
tree	554ec8a7962cd6524416048325bb235906751d56
parent	7b2f4b82ea4dd8a63c2806c452b319f26493206c (diff)
download	mariadb-git-cad692f919493e2176d52984415561496e13833d.tar.gz