From 7828ba0df488de8c793e41e4bd3de79e06c2537f Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Thu, 19 Apr 2018 22:39:24 +0200
Subject: Bug#25471090: MYSQL USE AFTER FREE

in a specially crafted invalid packet, one can get end_pos < pos here
---
 sql-common/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sql-common')

diff --git a/sql-common/client.c b/sql-common/client.c
index fc591e21616..bb7bdb1ff7d 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
-      if (len > (ulong) (end_pos - pos))
+      if (pos + len > end_pos)
       {
         set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
         return -1;
-- 
cgit v1.2.1