Bug #45031: invalid memory reads in my_real_read using protocol

            compression 
 
Since uint3korr() may read 4 bytes depending on build flags and 
platform, allocate 1 extra "safety" byte in the network buffer 
for cases when uint3korr() in my_real_read() is called to read
last 3 bytes in the buffer. 
 
It is practically hard to construct a reliable and reasonably 
small test case for this bug as that would require constructing 
input stream such that a certain sequence of bytes in a 
compressed packet happens to be the last 3 bytes of the network 
buffer. 

1 files changed, 11 insertions, 2 deletions

diff --git a/sql/net_serv.cc b/sql/net_serv.cc
index 627a5fae5e3..fdabad6f569 100644
--- a/sql/net_serv.cc
+++ b/sql/net_serv.cc
@@ -188,10 +188,12 @@ my_bool net_realloc(NET *net, ulong length)
   pkt_length = (length+IO_SIZE-1) & ~(IO_SIZE-1); 
   /*
     We must allocate some extra bytes for the end 0 and to be able to
-    read big compressed blocks
+    read big compressed blocks + 1 safety byte since uint3korr() in
+    my_real_read() may actually read 4 bytes depending on build flags and
+    platform.
   */
   if (!(buff=(uchar*) my_realloc((char*) net->buff, (uint32) pkt_length +
-				 NET_HEADER_SIZE + COMP_HEADER_SIZE,
+				 NET_HEADER_SIZE + COMP_HEADER_SIZE + 1,
 				 MYF(MY_WME))))
   {
     net->error= 1;
@@ -919,6 +921,13 @@ my_real_read(NET *net, ulong *complen)
 #ifdef HAVE_COMPRESS
 	if (net->compress)
 	{
+          /*
+            The following uint3korr() may read 4 bytes, so make sure we don't
+            read unallocated or uninitialized memory. The right-hand expression
+            must match the size of the buffer allocated in net_realloc().
+          */
+          DBUG_ASSERT(net->where_b + NET_HEADER_SIZE + sizeof(uint32) <=
+                      net->max_packet + NET_HEADER_SIZE + COMP_HEADER_SIZE + 1);
 	  /*
 	    If the packet is compressed then complen > 0 and contains the
 	    number of bytes in the uncompressed packet