Commit eb37c17d authored by serg@serg.mysql.com's avatar serg@serg.mysql.com

better fix for read_rows, same for read_one_row

parent 9e61e636
...@@ -939,7 +939,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, ...@@ -939,7 +939,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
else else
{ {
cur->data[field] = to; cur->data[field] = to;
if (to+len > end_to) if (len > end_to - to)
{ {
free_rows(result); free_rows(result);
net->last_errno=CR_UNKNOWN_ERROR; net->last_errno=CR_UNKNOWN_ERROR;
...@@ -980,7 +980,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) ...@@ -980,7 +980,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
{ {
uint field; uint field;
ulong pkt_len,len; ulong pkt_len,len;
uchar *pos,*prev_pos; uchar *pos,*prev_pos, *end_pos;
if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
return -1; return -1;
...@@ -988,6 +988,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) ...@@ -988,6 +988,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
return 1; /* End of data */ return 1; /* End of data */
prev_pos= 0; /* allowed to write at packet[-1] */ prev_pos= 0; /* allowed to write at packet[-1] */
pos=mysql->net.read_pos; pos=mysql->net.read_pos;
end_pos=pos+pkt_len;
for (field=0 ; field < fields ; field++) for (field=0 ; field < fields ; field++)
{ {
if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
...@@ -997,6 +998,12 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) ...@@ -997,6 +998,12 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
} }
else else
{ {
if (len > end_pos - pos)
{
mysql->net.last_errno=CR_UNKNOWN_ERROR;
strmov(mysql->net.last_error,ER(mysql->net.last_errno));
return -1;
}
row[field] = (char*) pos; row[field] = (char*) pos;
pos+=len; pos+=len;
*lengths++=len; *lengths++=len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment