summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvo Roylev <ivo.roylev@oracle.com>2018-06-14 17:27:54 +0300
committerHery Ramilison <hery.ramilison@oracle.com>2018-06-15 18:31:38 +0200
commite48d775c6f066add457fa8cfb2ebc4d5ff0c7613 (patch)
tree3d14b8c027a88a891b41523262a0b381d905695d
parentbd5ca6acece65858591c2bf54f86ff34aeea2821 (diff)
downloadmariadb-git-e48d775c6f066add457fa8cfb2ebc4d5ff0c7613.tar.gz
Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARYmysql-5.5.61
(cherry picked from commit b5b986b2cbd9a7848dc3f48e5c42b6d4e1e5fb22)
-rw-r--r--sql-common/client.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index 3247fd8e339..7938403db59 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
{
uchar *pos;
/* fields count may be wrong */
- DBUG_ASSERT((uint) (field - result) < fields);
+ if (field < result || (uint) (field - result) >= fields)
+ DBUG_RETURN(NULL);
cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
field->catalog= strmake_root(alloc,(char*) row->data[0], lengths[0]);
field->db= strmake_root(alloc,(char*) row->data[1], lengths[1]);
@@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
if ((pkt_len= cli_safe_read(mysql)) == packet_error)
DBUG_RETURN(0);
+ if (pkt_len == 0) DBUG_RETURN(0);
if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA),
MYF(MY_WME | MY_ZEROFILL))))
{