summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnushree Prakash B <anushree.prakash.b@oracle.com>2019-12-26 16:29:04 +0530
committerSergei Golubchik <serg@mariadb.org>2020-04-30 10:13:21 +0200
commite8e67bd4a4cabaae98dcbfac79c1d4b84066bf1c (patch)
tree5b36bcb08d10b4baee3a0052a5708a4a46bb744b
parent39c60116e8065e9161f14f65ceb26e54782388bc (diff)
downloadmariadb-git-e8e67bd4a4cabaae98dcbfac79c1d4b84066bf1c.tar.gz
Bug#30689251 - BACKPORT TO MYSQL-5.6, BUG#29597896 - NULL POINTER DEREFERENCE IN LIBMYSQL
DESCRIPTION: ============ There can be issues if the packets sent by the server are not proper. Certain checks should be performed at the client side while unpacking fields data. FIX: ==== Check for the appropriate fields data and error out if it is not present. RB: 23601
-rw-r--r--sql-common/client.c20
1 files changed, 17 insertions, 3 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index c7fb70fbeef..22a4f789485 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1538,9 +1538,23 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
{
if (field - result >= fields)
goto err;
+
+ /*
+ If any of the row->data[] below is NULL, it can result in a
+ crash. Error out early as it indicates a malformed packet.
+ For data[0], data[1] and data[5], strmake_root will handle
+ NULL values.
+ */
+ if (!row->data[2] || !row->data[3] || !row->data[4])
+ {
+ free_rows(data);
+ set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
+ DBUG_RETURN(0);
+ }
+
cli_fetch_lengths(&lengths[0], row->data, default_value ? 6 : 5);
- field->org_table= field->table= strdup_root(alloc,(char*) row->data[0]);
- field->name= strdup_root(alloc,(char*) row->data[1]);
+ field->org_table= field->table= strmake_root(alloc,(char*) row->data[0], lengths[0]);
+ field->name= strmake_root(alloc,(char*) row->data[1], lengths[1]);
field->length= (uint) uint3korr(row->data[2]);
field->type= (enum enum_field_types) (uchar) row->data[3][0];
@@ -1565,7 +1579,7 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
field->flags|= NUM_FLAG;
if (default_value && row->data[5])
{
- field->def=strdup_root(alloc,(char*) row->data[5]);
+ field->def= strmake_root(alloc,(char*) row->data[5], lengths[5]);
field->def_length= lengths[5];
}
else