From 39af19aa33ee0c988af8eb8ab7d621b1f0ed618e Mon Sep 17 00:00:00 2001
From: Georg Richter <georg@mariadb.com>
Date: Wed, 5 Sep 2018 15:48:41 +0200
Subject: [PATCH] Fix for security vulnerability CVE-2018-3081

---
 libmariadb/libmariadb.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/libmariadb/libmariadb.c b/libmariadb/libmariadb.c
index 289b18dc6..2f0953f01 100644
--- a/libmariadb/libmariadb.c
+++ b/libmariadb/libmariadb.c
@@ -1163,6 +1163,8 @@ unpack_fields(MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
 
   for (row=data->data; row ; row = row->next,field++)
   {
+    if (field >= result + fields)
+      goto error;
     for (i=0; i < field_count; i++)
     {
       switch(row->data[i][0]) {
@@ -1206,8 +1208,14 @@ unpack_fields(MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
       field->def=0;
     field->max_length= 0;
   }
+  if (field < result + fields)
+    goto error;
   free_rows(data);				/* Free old data */
   DBUG_RETURN(result);
+error:
+  free_rows(data);
+  free_root(alloc, MYF(0));
+  return(0);
 }
 
 
@@ -2308,14 +2316,16 @@ static void mysql_close_options(MYSQL *mysql)
     my_free(mysql->options.extension->ssl_fp_list);
     if(hash_inited(&mysql->options.extension->connect_attrs))
       hash_free(&mysql->options.extension->connect_attrs);
-    if ((ctxt = mysql->options.extension->async_context) != 0)
+    if (mysql->options.extension && (ctxt = mysql->options.extension->async_context) != 0)
     {
       my_context_destroy(&ctxt->async_context);
       my_free(ctxt);
+      mysql->options.extension->async_context= 0;
     }
 
   }
   my_free(mysql->options.extension);
+  mysql->options.extension= 0;
   /* clear all pointer */
   memset(&mysql->options, 0, sizeof(mysql->options));
 }