database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2026-01-06 05:22:24 +03:00
Code Activity

Bug #28934: server crash when receiving malformed com_execute packets

Browse Source 
Sometimes a parameter slot may not get a value because of the protocol
 data being plain wrong.
 Such cases should be detected and handled by returning an error.
 Fixed by checking data stream constraints where possible (like maximum
 length) and reacting to the case where a value cannot be constructed.
This commit is contained in:
gkodinov/kgeorge@magare.gmz
2007-06-12 11:02:34 +03:00
parent c25c178112
commit b9876c6e9c
2 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
sql/sql_prepare.cc
View File

@@ -562,6 +562,8 @@ void set_param_date(Item_param *param, uchar **pos, ulong len)
static void set_param_str(Item_param *param, uchar **pos, ulong len)
{
ulong length= get_param_length(pos, len);
if (length > len)
length= len;
param->set_str((const char *)*pos, length);
*pos+= length;
}
@@ -731,6 +733,8 @@ static bool insert_params_withlog(Prepared_statement *stmt, uchar *null_array,
if (read_pos >= data_end)
DBUG_RETURN(1);
param->set_param_func(param, &read_pos, data_end - read_pos);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
res= param->query_val_str(&str);
@@ -767,6 +771,8 @@ static bool insert_params(Prepared_statement *stmt, uchar *null_array,
if (read_pos >= data_end)
DBUG_RETURN(1);
param->set_param_func(param, &read_pos, data_end - read_pos);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
if (param->convert_str_value(stmt->thd))
@@ -849,6 +855,8 @@ static bool emb_insert_params(Prepared_statement *stmt, String *expanded_query)
client_param->length ?
*client_param->length :
client_param->buffer_length);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
if (param->convert_str_value(thd))
@@ -890,6 +898,8 @@ static bool emb_insert_params_withlog(Prepared_statement *stmt, String *query)
client_param->length ?
*client_param->length :
client_param->buffer_length);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
res= param->query_val_str(&str);