database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-08 11:22:35 +03:00
Code Activity

Bug #28934: server crash when receiving malformed com_execute packets

Browse Source 
Sometimes a parameter slot may not get a value because of the protocol
 data being plain wrong.
 Such cases should be detected and handled by returning an error.
 Fixed by checking data stream constraints where possible (like maximum
 length) and reacting to the case where a value cannot be constructed.


sql/sql_prepare.cc:
  Bug #28934: 
   - check for a parameter slot not being set because 
      of wrong data
   - check if the length read from the stream is not
      greater than the maximum length of the field
tests/mysql_client_test.c:
  Bug #28934: test case
This commit is contained in:
unknown
2007-06-12 11:02:34 +03:00
parent 59d139eb29
commit e164c08eaf
2 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
sql/sql_prepare.cc
View File

@@ -562,6 +562,8 @@ void set_param_date(Item_param *param, uchar **pos, ulong len)
static void set_param_str(Item_param *param, uchar **pos, ulong len)
{
ulong length= get_param_length(pos, len);
if (length > len)
length= len;
param->set_str((const char *)*pos, length);
*pos+= length;
}
@@ -731,6 +733,8 @@ static bool insert_params_withlog(Prepared_statement *stmt, uchar *null_array,
if (read_pos >= data_end)
DBUG_RETURN(1);
param->set_param_func(param, &read_pos, data_end - read_pos);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
res= param->query_val_str(&str);
@@ -767,6 +771,8 @@ static bool insert_params(Prepared_statement *stmt, uchar *null_array,
if (read_pos >= data_end)
DBUG_RETURN(1);
param->set_param_func(param, &read_pos, data_end - read_pos);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
if (param->convert_str_value(stmt->thd))
@@ -849,6 +855,8 @@ static bool emb_insert_params(Prepared_statement *stmt, String *expanded_query)
client_param->length ?
*client_param->length :
client_param->buffer_length);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
if (param->convert_str_value(thd))
@@ -890,6 +898,8 @@ static bool emb_insert_params_withlog(Prepared_statement *stmt, String *query)
client_param->length ?
*client_param->length :
client_param->buffer_length);
if (param->state == Item_param::NO_VALUE)
DBUG_RETURN(1);
}
}
res= param->query_val_str(&str);