1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug#25471090: MYSQL USE AFTER FREE

Browse Source 
a better fix
This commit is contained in:
Sergei Golubchik 2018-04-30 13:50:59 +02:00
parent 5cfe52314e
commit a52c46e069
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sql-common/client.c
View File

@ -1636,7 +1636,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
else else
{ {
cur->data[field] = to; cur->data[field] = to;
if (to + len > end_to) if (unlikely(len > (ulong)(end_to-to) || to > end_to))
{ {
free_rows(result); free_rows(result);
set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate); set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
} }
else else
{ {
if (pos + len > end_pos) if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos))
{ {
set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
return -1; return -1;