Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
  • Loading branch information
smalyshev committed Sep 13, 2016
1 parent 33d0ef0 commit 28f80ba
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion ext/mysqlnd/mysqlnd_wireprotocol.c
Expand Up @@ -1585,6 +1585,7 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
zend_uchar * p = row_buffer->ptr;
size_t data_size = row_buffer->app;
zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;

DBG_ENTER("php_mysqlnd_rowp_read_text_protocol_aux");

Expand All @@ -1606,8 +1607,13 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
/* Don't reverse the order. It is significant!*/
zend_uchar *this_field_len_pos = p;
/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */
unsigned long len = php_mysqlnd_net_field_length(&p);
const unsigned long len = php_mysqlnd_net_field_length(&p);

if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {
php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
" bytes after end of packet", (p + len) - packet_end - 1);
DBG_RETURN(FAIL);
}
if (copy_data == FALSE && current_field > start_field && last_field_was_string) {
/*
Normal queries:
Expand Down

0 comments on commit 28f80ba

Please sign in to comment.