diff options
author | Aleksey Midenkov <midenok@gmail.com> | 2019-12-25 22:57:14 +0300 |
---|---|---|
committer | Aleksey Midenkov <midenok@gmail.com> | 2019-12-25 22:57:14 +0300 |
commit | 7864cb5dd32d3a88c2baf6ce3163ea1ff47c4efb (patch) | |
tree | 7c663d8cc286dee36c7346e7d398397aa67f02fa | |
parent | 414e5f7f5544a9baf1bf1fc31b01b387a73ef3b4 (diff) | |
download | mariadb-git-7864cb5dd32d3a88c2baf6ce3163ea1ff47c4efb.tar.gz |
Fix out-of-bounds read of extra2
-rw-r--r-- | sql/table.cc | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sql/table.cc b/sql/table.cc index 761c0bf2b35..ab18eb75f65 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -1757,6 +1757,10 @@ int TABLE_SHARE::init_from_binary_frm_image(THD *thd, bool write, /* Length of the MariaDB extra2 segment in the form file. */ len = uint2korr(frm_image+4); + if (frm_length < FRM_HEADER_SIZE + len || + !(pos= uint4korr(frm_image + FRM_HEADER_SIZE + len))) + goto err; + if (read_extra2(frm_image, len, &extra2)) goto err; @@ -1778,10 +1782,6 @@ int TABLE_SHARE::init_from_binary_frm_image(THD *thd, bool write, } #endif - if (frm_length < FRM_HEADER_SIZE + len || - !(pos= uint4korr(frm_image + FRM_HEADER_SIZE + len))) - goto err; - forminfo= frm_image + pos; if (forminfo + FRM_FORMINFO_SIZE >= frm_image_end) goto err; |