Bug#25471090: MYSQL USE AFTER FREE

vuvova · vuvova · commit a52c46e06935 · 2018-04-30T15:49:19.000+02:00
a better fix
diff --git a/sql-common/client.c b/sql-common/client.c
@@ -1636,7 +1636,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
       else
       {
 	cur->data[field] = to;
-        if (to + len > end_to)
+        if (unlikely(len > (ulong)(end_to-to) || to > end_to))
         {
           free_rows(result);
           set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
@@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
-      if (pos + len > end_pos)
+      if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos))
       {
         set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
         return -1;

Original file line number	Diff line number	Diff line change
`@@ -1636,7 +1636,7 @@ MYSQL_DATA cli_read_rows(MYSQL mysql,MYSQL_FIELD *mysql_fields,`
`1636`	`1636`	`else`
`1637`	`1637`	`{`
`1638`	`1638`	`cur->data[field] = to;`
`1639`		`- if (to + len > end_to)`
	`1639`	`+ if (unlikely(len > (ulong)(end_to-to) \|\| to > end_to))`
`1640`	`1640`	`{`
`1641`	`1641`	`free_rows(result);`
`1642`	`1642`	`set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);`
`@@ -1708,7 +1708,7 @@ read_one_row(MYSQL mysql,uint fields,MYSQL_ROW row, ulong lengths)`
`1708`	`1708`	`}`
`1709`	`1709`	`else`
`1710`	`1710`	`{`
`1711`		`- if (pos + len > end_pos)`
	`1711`	`+ if (unlikely(len > (ulong)(end_pos - pos) \|\| pos > end_pos))`
`1712`	`1712`	`{`
`1713`	`1713`	`set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);`
`1714`	`1714`	`return -1;`