Merge sinisa@work.mysql.com:/home/bk/mysql

into sinisa.nasamreza.org:/mnt/work/mysql

Merge sinisa@work.mysql.com:/home/bk/mysql
into sinisa.nasamreza.org:/mnt/work/mysql
91e1b1b1 · unknown · a0efe927 · faefac30 · 91e1b1b1 · 91e1b1b1
Commit 91e1b1b1 authored Dec 04, 2002 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 6 deletions

libmysql/libmysql.c libmysql/libmysql.c +10 -2

sql/sql_parse.cc sql/sql_parse.cc +4 -4

No files found.
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -307,7 +307,7 @@ net_safe_read(MYSQL *mysql)
    DBUG_PRINT("error",("Wrong connection or packet. fd: %s  len: %d",
 			vio_description(net->vio),len));
    end_server(mysql);
-    net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? 
+    net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ?
 		     CR_NET_PACKET_TOO_LARGE:
 		     CR_SERVER_LOST);
    strmov(net->last_error,ER(net->last_errno));
@@ -891,7 +891,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
  uint	field,pkt_len;
  ulong len;
  uchar *cp;
-  char	*to;
+  char	*to, *end_to;
  MYSQL_DATA *result;
  MYSQL_ROWS **prev_ptr,*cur;
  NET *net = &mysql->net;
@@ -929,6 +929,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
    *prev_ptr=cur;
    prev_ptr= &cur->next;
    to= (char*) (cur->data+fields+1);
+    end_to=to+pkt_len-1;
    for (field=0 ; field < fields ; field++)
    {
      if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -938,6 +939,13 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
      else
      {
 	cur->data[field] = to;
+        if (to+len > end_to)
+        {
+          free_rows(result);
+          net->last_errno=CR_UNKNOWN_ERROR;
+          strmov(net->last_error,ER(net->last_errno));
+          DBUG_RETURN(0);
+        }
 	memcpy(to,(char*) cp,len); to[len]=0;
 	to+=len+1;
 	cp+=len;

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
  NET *net= &thd->net;
  thd->db=0;
+  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+    return 1;
  if (!(thd->user = my_strdup(user, MYF(0))))
  {
    send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@ check_connections(THD *thd)
  char *user=   (char*) net->read_pos+5;
  char *passwd= strend(user)+1;
  char *db=0;
-  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
-    return ER_HANDSHAKE_ERROR;
  if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
    db=strend(passwd)+1;
  if (thd->client_capabilities & CLIENT_INTERACTIVE)
@@ -768,8 +768,8 @@ bool do_command(THD *thd)
      thread_safe_increment(com_other,&LOCK_thread_count);
      slow_command = TRUE;
      char* data = packet + 1;
-      uint db_len = *data;
+      uint db_len = *(uchar *)data;
-      uint tbl_len = *(data + db_len + 1);
+      uint tbl_len = *(uchar *)(data + db_len + 1);
      char* db = sql_alloc(db_len + tbl_len + 2);
      memcpy(db, data + 1, db_len);
      char* tbl_name = db + db_len;