Merge tag 'mariadb-5.5.68' into 10.0bb-10.0-serg10.0

1 files changed, 17 insertions, 3 deletions

diff --git a/sql-common/client.c b/sql-common/client.c
index 68e71a09859..5ef28d1fe7c 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1402,9 +1402,23 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
     {
       if (field - result >= fields)
         goto err;
+
+      /*
+       If any of the row->data[] below is NULL, it can result in a
+       crash. Error out early as it indicates a malformed packet.
+       For data[0], data[1] and data[5], strmake_root will handle
+       NULL values.
+      */
+      if (!row->data[2] || !row->data[3] || !row->data[4])
+      {
+        free_rows(data);
+        set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
+        DBUG_RETURN(0);
+      }
+
       cli_fetch_lengths(&lengths[0], row->data, default_value ? 6 : 5);
-      field->org_table= field->table=  strdup_root(alloc,(char*) row->data[0]);
-      field->name=   strdup_root(alloc,(char*) row->data[1]);
+      field->org_table= field->table=  strmake_root(alloc,(char*) row->data[0], lengths[0]);
+      field->name=   strmake_root(alloc,(char*) row->data[1], lengths[1]);
       field->length= (uint) uint3korr(row->data[2]);
       field->type=   (enum enum_field_types) (uchar) row->data[3][0];
 
@@ -1429,7 +1443,7 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
         field->flags|= NUM_FLAG;
       if (default_value && row->data[5])
       {
-        field->def=strdup_root(alloc,(char*) row->data[5]);
+        field->def= strmake_root(alloc,(char*) row->data[5], lengths[5]);
 	field->def_length= lengths[5];
       }
       else