Bug#25471090: MYSQL USE AFTER FREE

a better fix
author: Sergei Golubchik <serg@mariadb.org> 2018-04-30 13:50:59 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2018-04-30 15:49:19 +0200
commit: a52c46e06935b09ff9219ae7684b5a29394e992b (patch)
tree: d6829626910c3a86ce492951d21aff650dd5c5ee
parent: 5cfe52314e29386e1867fad1b44eace2b9d0be7e (diff)
download: mariadb-git-a52c46e06935b09ff9219ae7684b5a29394e992b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index 9cb3311d2e1..b485ebf4f60 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1636,7 +1636,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
       else
       {
 	cur->data[field] = to;
-        if (to + len > end_to)
+        if (unlikely(len > (ulong)(end_to-to) || to > end_to))
         {
           free_rows(result);
           set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
@@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
-      if (pos + len > end_pos)
+      if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos))
       {
         set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
         return -1;
author	Sergei Golubchik <serg@mariadb.org>	2018-04-30 13:50:59 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2018-04-30 15:49:19 +0200
commit	a52c46e06935b09ff9219ae7684b5a29394e992b (patch)
tree	d6829626910c3a86ce492951d21aff650dd5c5ee
parent	5cfe52314e29386e1867fad1b44eace2b9d0be7e (diff)
download	mariadb-git-a52c46e06935b09ff9219ae7684b5a29394e992b.tar.gz