summaryrefslogtreecommitdiff
path: root/sql/field.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sql/field.cc')
-rw-r--r--sql/field.cc74
1 files changed, 60 insertions, 14 deletions
diff --git a/sql/field.cc b/sql/field.cc
index f0f0ca2c8f4..f5b43c69f63 100644
--- a/sql/field.cc
+++ b/sql/field.cc
@@ -1496,11 +1496,13 @@ Field::pack(uchar *to, const uchar *from, uint max_length)
data
@return New pointer into memory based on from + length of the data
+ @return 0 if wrong data
*/
const uchar *
-Field::unpack(uchar* to, const uchar *from, uint param_data)
+Field::unpack(uchar* to, const uchar *from, const uchar *from_end,
+ uint param_data)
{
- uint length=pack_length();
+ uint length=pack_length(), len;
int from_type= 0;
/*
If from length is > 255, it has encoded data in the upper bits. Need
@@ -1516,14 +1518,19 @@ Field::unpack(uchar* to, const uchar *from, uint param_data)
(length == param_data) ||
(from_type != real_type()))
{
+ if (from + length > from_end)
+ return 0; // Error in data
+
memcpy(to, from, length);
return from+length;
}
- uint len= (param_data && (param_data < length)) ?
- param_data : length;
+ len= (param_data && (param_data < length)) ? param_data : length;
+
+ if (from + len > from_end)
+ return 0; // Error in data
- memcpy(to, from, param_data > length ? length : len);
+ memcpy(to, from, len);
return from+len;
}
@@ -2907,10 +2914,11 @@ uint Field_new_decimal::is_equal(Create_field *new_field)
@return New pointer into memory based on from + length of the data
*/
const uchar *
-Field_new_decimal::unpack(uchar* to, const uchar *from, uint param_data)
+Field_new_decimal::unpack(uchar* to, const uchar *from, const uchar *from_end,
+ uint param_data)
{
if (param_data == 0)
- return Field::unpack(to, from, param_data);
+ return Field::unpack(to, from, from_end, param_data);
uint from_precision= (param_data & 0xff00) >> 8U;
uint from_decimal= param_data & 0x00ff;
@@ -2940,7 +2948,11 @@ Field_new_decimal::unpack(uchar* to, const uchar *from, uint param_data)
decimal2bin(&dec_val, to, precision, decimals());
}
else
+ {
+ if (from + len > from_end)
+ return 0; // Wrong data
memcpy(to, from, len); // Sizes are the same, just copy the data.
+ }
return from+len;
}
@@ -6369,7 +6381,8 @@ uchar *Field_string::pack(uchar *to, const uchar *from, uint max_length)
@return New pointer into memory based on from + length of the data
*/
const uchar *
-Field_string::unpack(uchar *to, const uchar *from, uint param_data)
+Field_string::unpack(uchar *to, const uchar *from, const uchar *from_end,
+ uint param_data)
{
uint from_length, length;
@@ -6391,11 +6404,19 @@ Field_string::unpack(uchar *to, const uchar *from, uint param_data)
*/
if (from_length > 255)
{
+ if (from + 2 > from_end)
+ return 0;
length= uint2korr(from);
from+= 2;
}
else
+ {
+ if (from + 1 > from_end)
+ return 0;
length= (uint) *from++;
+ }
+ if (from + length > from_end || length > field_length)
+ return 0;
memcpy(to, from, length);
// Pad the string with the pad character of the fields charset
@@ -6818,11 +6839,16 @@ uchar *Field_varstring::pack(uchar *to, const uchar *from, uint max_length)
@return New pointer into memory based on from + length of the data
*/
const uchar *
-Field_varstring::unpack(uchar *to, const uchar *from, uint param_data)
+Field_varstring::unpack(uchar *to, const uchar *from, const uchar *from_end,
+ uint param_data)
{
uint length;
uint l_bytes= (param_data && (param_data < field_length)) ?
(param_data <= 255) ? 1 : 2 : length_bytes;
+
+ if (from + l_bytes > from_end)
+ return 0; // Error in data
+
if (l_bytes == 1)
{
to[0]= *from++;
@@ -6837,7 +6863,11 @@ Field_varstring::unpack(uchar *to, const uchar *from, uint param_data)
to[1]= *from++;
}
if (length)
+ {
+ if (from + length > from_end || length > field_length)
+ return 0; // Error in data
memcpy(to+ length_bytes, from, length);
+ }
return from+length;
}
@@ -7414,16 +7444,21 @@ uchar *Field_blob::pack(uchar *to, const uchar *from, uint max_length)
@return New pointer into memory based on from + length of the data
*/
-const uchar *Field_blob::unpack(uchar *to, const uchar *from, uint param_data)
+const uchar *Field_blob::unpack(uchar *to, const uchar *from,
+ const uchar *from_end, uint param_data)
{
DBUG_ENTER("Field_blob::unpack");
DBUG_PRINT("enter", ("to: 0x%lx; from: 0x%lx; param_data: %u",
(ulong) to, (ulong) from, param_data));
uint const master_packlength=
param_data > 0 ? param_data & 0xFF : packlength;
+ if (from + master_packlength > from_end)
+ DBUG_RETURN(0); // Error in data
uint32 const length= get_length(from, master_packlength);
DBUG_DUMP("packed", from, length + master_packlength);
bitmap_set_bit(table->write_set, field_index);
+ if (from + master_packlength + length > from_end)
+ DBUG_RETURN(0);
store(reinterpret_cast<const char*>(from) + master_packlength,
length, field_charset);
DBUG_DUMP("record", to, table->s->reclength);
@@ -7971,12 +8006,13 @@ uchar *Field_enum::pack(uchar *to, const uchar *from, uint max_length)
DBUG_RETURN(pack_int(to, from, packlength));
}
-const uchar *Field_enum::unpack(uchar *to, const uchar *from, uint param_data)
+const uchar *Field_enum::unpack(uchar *to, const uchar *from,
+ const uchar *from_end, uint param_data)
{
DBUG_ENTER("Field_enum::unpack");
DBUG_PRINT("debug", ("packlength: %d", packlength));
DBUG_DUMP("from", from, packlength);
- DBUG_RETURN(unpack_int(to, from, packlength));
+ DBUG_RETURN(unpack_int(to, from, from_end, packlength));
}
@@ -8472,7 +8508,8 @@ Field_bit::pack(uchar *to, const uchar *from, uint max_length)
@return New pointer into memory based on from + length of the data
*/
const uchar *
-Field_bit::unpack(uchar *to, const uchar *from, uint param_data)
+Field_bit::unpack(uchar *to, const uchar *from, const uchar *from_end,
+ uint param_data)
{
DBUG_ENTER("Field_bit::unpack");
DBUG_PRINT("enter", ("to: %p, from: %p, param_data: 0x%x",
@@ -8490,6 +8527,9 @@ Field_bit::unpack(uchar *to, const uchar *from, uint param_data)
if (param_data == 0 ||
((from_bit_len == bit_len) && (from_len == bytes_in_rec)))
{
+ if (from + bytes_in_rec + test(bit_len) > from_end)
+ return 0; // Error in data
+
if (bit_len > 0)
{
/*
@@ -8514,10 +8554,16 @@ Field_bit::unpack(uchar *to, const uchar *from, uint param_data)
Lastly the odd bits need to be masked out if the bytes_in_rec > 0.
Otherwise stray bits can cause spurious values.
*/
+
+ uint len= from_len + ((from_bit_len > 0) ? 1 : 0);
uint new_len= (field_length + 7) / 8;
+
+ if (from + len > from_end || new_len < len)
+ return 0; // Error in data
+
char *value= (char *)my_alloca(new_len);
bzero(value, new_len);
- uint len= from_len + ((from_bit_len > 0) ? 1 : 0);
+
memcpy(value + (new_len - len), from, len);
/*
Mask out the unused bits in the partial byte.