Bug#25471090: MYSQL USE AFTER FREE

in a specially crafted invalid packet, one can get end_pos < pos here
2025-07-21 21:22:27 +03:00 · 2018-04-19 22:39:24 +02:00
parent 149c993b2c
commit 7828ba0df4
1 changed files with 1 additions and 1 deletions
--- a/sql-common/client.c
+++ b/sql-common/client.c
@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
    }
    else
    {
-      if (len > (ulong) (end_pos - pos))
+      if (pos + len > end_pos)
      {
        set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
        return -1;