From fa61c0499a714541e363abd20c75c7adae1780d7 Mon Sep 17 00:00:00 2001
From: Chaithra Gopalareddy <chaithra.gopalareddy@oracle.com>
Date: Wed, 26 Dec 2012 20:21:19 +0530
Subject: Bug#12347040: MEMORY LEAK IN CONVERT_TZ COULD POSSIBLY CAUSE         
            DOS ATTACKS

Problem:
For detailed description, see Bug#42502. This bug is a duplicate
of Bug#42502. The complete fix for Bug#42502 was not made as
proposed. Hence the bug still persists.

Fix:
Make the changes as proposed originally for the bugfix of 42502.
Which is to remove the allocation of the memory before we actually
check for any errors.

sql/tztime.cc:
  Remove the double allocation for tz_info
---
 sql/tztime.cc | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

(limited to 'sql/tztime.cc')

diff --git a/sql/tztime.cc b/sql/tztime.cc
index 922cfd1fad6..81a80686de2 100644
--- a/sql/tztime.cc
+++ b/sql/tztime.cc
@@ -1808,7 +1808,7 @@ static Time_zone*
 tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
 {
   TABLE *table= 0;
-  TIME_ZONE_INFO *tz_info;
+  TIME_ZONE_INFO *tz_info= NULL;
   Tz_names_entry *tmp_tzname;
   Time_zone *return_val= 0;
   int res;
@@ -1816,7 +1816,8 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
   my_time_t ttime;
   char buff[MAX_FIELD_WIDTH];
   String abbr(buff, sizeof(buff), &my_charset_latin1);
-  char *alloc_buff, *tz_name_buff;
+  char *alloc_buff= NULL;
+  char *tz_name_buff= NULL;
   /*
     Temporary arrays that are used for loading of data for filling
     TIME_ZONE_INFO structure
@@ -1836,22 +1837,6 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
 
   DBUG_ENTER("tz_load_from_open_tables");
 
-  /* Prepare tz_info for loading also let us make copy of time zone name */
-  if (!(alloc_buff= (char*) alloc_root(&tz_storage, sizeof(TIME_ZONE_INFO) +
-                                       tz_name->length() + 1)))
-  {
-    sql_print_error("Out of memory while loading time zone description");
-    return 0;
-  }
-  tz_info= (TIME_ZONE_INFO *)alloc_buff;
-  bzero(tz_info, sizeof(TIME_ZONE_INFO));
-  tz_name_buff= alloc_buff + sizeof(TIME_ZONE_INFO);
-  /*
-    By writing zero to the end we guarantee that we can call ptr()
-    instead of c_ptr() for time zone name.
-  */
-  strmake(tz_name_buff, tz_name->ptr(), tz_name->length());
-
   /*
     Let us find out time zone id by its name (there is only one index
     and it is specifically for this purpose).
-- 
cgit v1.2.1