]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 339a865)
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
authorStanislav Malyshev <stas@php.net>
Tue, 13 Sep 2016 04:07:44 +0000 (21:07 -0700)
committerStanislav Malyshev <stas@php.net>
Tue, 13 Sep 2016 04:07:44 +0000 (21:07 -0700)
ext/mysqlnd/mysqlnd_wireprotocol.c patch | blob | history

diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c
index 48b64c19f04f09b2358a2cfc5b14639d1fbee0ef..bd0ee2a4775a44aec8a0e36ff742e763719aaa93 100644 (file)
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -1635,6 +1635,7 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
        zend_uchar * p = row_buffer->ptr;
        size_t data_size = row_buffer->app;
        zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
+       const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;
 
        DBG_ENTER("php_mysqlnd_rowp_read_text_protocol_aux");
 
@@ -1651,6 +1652,10 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer,
                /* NULL or NOT NULL, this is the question! */
                if (len == MYSQLND_NULL_LENGTH) {
                        ZVAL_NULL(current_field);
+               } else if ((p + len) > packet_end) {
+                       php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
+                                                                                         " bytes after end of packet", (p + len) - packet_end - 1);
+                       DBG_RETURN(FAIL);
                } else {
 #if defined(MYSQLND_STRING_TO_INT_CONVERSION)
                        struct st_mysqlnd_perm_bind perm_bind =
Unnamed repository; edit this file 'description' to name the repository.