diff options
| author | Chaithra Gopalareddy <chaithra.gopalareddy@oracle.com> | 2012-12-26 20:21:19 +0530 |
|---|---|---|
| committer | Chaithra Gopalareddy <chaithra.gopalareddy@oracle.com> | 2012-12-26 20:21:19 +0530 |
| commit | fa61c0499a714541e363abd20c75c7adae1780d7 (patch) | |
| tree | 5ee35263603c8595cd18445b603bb478947468b1 /sql/tztime.cc | |
| parent | 5cf9e19365bb89d45d37b7eb51d398e26d52f74d (diff) | |
| download | mariadb-git-fa61c0499a714541e363abd20c75c7adae1780d7.tar.gz | |
Bug#12347040: MEMORY LEAK IN CONVERT_TZ COULD POSSIBLY CAUSE
DOS ATTACKS
Problem:
For detailed description, see Bug#42502. This bug is a duplicate
of Bug#42502. The complete fix for Bug#42502 was not made as
proposed. Hence the bug still persists.
Fix:
Make the changes as proposed originally for the bugfix of 42502.
Which is to remove the allocation of the memory before we actually
check for any errors.
sql/tztime.cc:
Remove the double allocation for tz_info
Diffstat (limited to 'sql/tztime.cc')
| -rw-r--r-- | sql/tztime.cc | 21 |
1 files changed, 3 insertions, 18 deletions
diff --git a/sql/tztime.cc b/sql/tztime.cc index 922cfd1fad6..81a80686de2 100644 --- a/sql/tztime.cc +++ b/sql/tztime.cc @@ -1808,7 +1808,7 @@ static Time_zone* tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) { TABLE *table= 0; - TIME_ZONE_INFO *tz_info; + TIME_ZONE_INFO *tz_info= NULL; Tz_names_entry *tmp_tzname; Time_zone *return_val= 0; int res; @@ -1816,7 +1816,8 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) my_time_t ttime; char buff[MAX_FIELD_WIDTH]; String abbr(buff, sizeof(buff), &my_charset_latin1); - char *alloc_buff, *tz_name_buff; + char *alloc_buff= NULL; + char *tz_name_buff= NULL; /* Temporary arrays that are used for loading of data for filling TIME_ZONE_INFO structure @@ -1836,22 +1837,6 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) DBUG_ENTER("tz_load_from_open_tables"); - /* Prepare tz_info for loading also let us make copy of time zone name */ - if (!(alloc_buff= (char*) alloc_root(&tz_storage, sizeof(TIME_ZONE_INFO) + - tz_name->length() + 1))) - { - sql_print_error("Out of memory while loading time zone description"); - return 0; - } - tz_info= (TIME_ZONE_INFO *)alloc_buff; - bzero(tz_info, sizeof(TIME_ZONE_INFO)); - tz_name_buff= alloc_buff + sizeof(TIME_ZONE_INFO); - /* - By writing zero to the end we guarantee that we can call ptr() - instead of c_ptr() for time zone name. - */ - strmake(tz_name_buff, tz_name->ptr(), tz_name->length()); - /* Let us find out time zone id by its name (there is only one index and it is specifically for this purpose). |