diff options
author | Anushree Prakash B <anushree.prakash.b@oracle.com> | 2019-12-26 16:29:04 +0530 |
---|---|---|
committer | Sergei Golubchik <serg@mariadb.org> | 2020-04-30 10:13:21 +0200 |
commit | e8e67bd4a4cabaae98dcbfac79c1d4b84066bf1c (patch) | |
tree | 5b36bcb08d10b4baee3a0052a5708a4a46bb744b | |
parent | 39c60116e8065e9161f14f65ceb26e54782388bc (diff) | |
download | mariadb-git-e8e67bd4a4cabaae98dcbfac79c1d4b84066bf1c.tar.gz |
Bug#30689251 - BACKPORT TO MYSQL-5.6, BUG#29597896 - NULL POINTER DEREFERENCE IN LIBMYSQL
DESCRIPTION:
============
There can be issues if the packets sent by the server
are not proper. Certain checks should be performed at the
client side while unpacking fields data.
FIX:
====
Check for the appropriate fields data and error out if it
is not present.
RB: 23601
-rw-r--r-- | sql-common/client.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index c7fb70fbeef..22a4f789485 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1538,9 +1538,23 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields, { if (field - result >= fields) goto err; + + /* + If any of the row->data[] below is NULL, it can result in a + crash. Error out early as it indicates a malformed packet. + For data[0], data[1] and data[5], strmake_root will handle + NULL values. + */ + if (!row->data[2] || !row->data[3] || !row->data[4]) + { + free_rows(data); + set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate); + DBUG_RETURN(0); + } + cli_fetch_lengths(&lengths[0], row->data, default_value ? 6 : 5); - field->org_table= field->table= strdup_root(alloc,(char*) row->data[0]); - field->name= strdup_root(alloc,(char*) row->data[1]); + field->org_table= field->table= strmake_root(alloc,(char*) row->data[0], lengths[0]); + field->name= strmake_root(alloc,(char*) row->data[1], lengths[1]); field->length= (uint) uint3korr(row->data[2]); field->type= (enum enum_field_types) (uchar) row->data[3][0]; @@ -1565,7 +1579,7 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields, field->flags|= NUM_FLAG; if (default_value && row->data[5]) { - field->def=strdup_root(alloc,(char*) row->data[5]); + field->def= strmake_root(alloc,(char*) row->data[5], lengths[5]); field->def_length= lengths[5]; } else |