Bug #19216: Client crashes on long SELECT

The server sends a number of columns to the client. It uses a limited "fast" function for that instead of the general one. This fast function cannot send numbers larger than 2 bytes. This causes the client to expect smaller number of columns. The client writes outside of the allocated memory buffer as a result. Fixed the server to use the general function to send column count. Fixed the client to check the column count before writing column data. mysql-test/t/mysql_client.test: Bug #19216: Client crashes on long SELECT - test case sql/protocol.cc: Bug #19216: Client crashes on long SELECT - renamed the function for bether comprehention and made it local - used the right (non-local) function to transfer the column count in Protocol::send_fields sql/protocol.h: Bug #19216: Client crashes on long SELECT - made optimized net_store_length local sql-common/client.c: Bug #19216: Client crashes on long SELECT - fixed the client to check for older servers (without the fix).
2026-01-06 05:22:24 +03:00 · 2006-11-13 12:28:55 +02:00
parent 8b447a8af7
commit f53af7b8e5
4 changed files with 29 additions and 10 deletions
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1173,6 +1173,8 @@ unpack_fields(MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
    for (row=data->data; row ; row = row->next,field++)
    {
      uchar *pos;
+      /* fields count may be wrong */
+      DBUG_ASSERT ((field - result) < fields);
      cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
      field->catalog  = strdup_root(alloc,(char*) row->data[0]);
      field->db       = strdup_root(alloc,(char*) row->data[1]);