Skip to content

Commit 28f80ba

Browse files
committed
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
1 parent 33d0ef0 commit 28f80ba

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

Diff for: ext/mysqlnd/mysqlnd_wireprotocol.c

+7-1
Original file line numberDiff line numberDiff line change
@@ -1585,6 +1585,7 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
15851585
zend_uchar * p = row_buffer->ptr;
15861586
size_t data_size = row_buffer->app;
15871587
zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
1588+
const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;
15881589

15891590
DBG_ENTER("php_mysqlnd_rowp_read_text_protocol_aux");
15901591

@@ -1606,8 +1607,13 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
16061607
/* Don't reverse the order. It is significant!*/
16071608
zend_uchar *this_field_len_pos = p;
16081609
/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */
1609-
unsigned long len = php_mysqlnd_net_field_length(&p);
1610+
const unsigned long len = php_mysqlnd_net_field_length(&p);
16101611

1612+
if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {
1613+
php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
1614+
" bytes after end of packet", (p + len) - packet_end - 1);
1615+
DBG_RETURN(FAIL);
1616+
}
16111617
if (copy_data == FALSE && current_field > start_field && last_field_was_string) {
16121618
/*
16131619
Normal queries:

0 commit comments

Comments
 (0)