From c92c788c8511384f6f16a05d4c5fe9385f267b29 Mon Sep 17 00:00:00 2001
From: Andrey Hristov <andrey@php.net>
Date: Tue, 27 Apr 2010 08:02:08 +0000
Subject: [PATCH] Fixed possible buffer overflow in mysqlnd_conn__list_fields.

---
 NEWS                  |  1 +
 ext/mysqlnd/mysqlnd.c | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 808725476b..9e46316cb5 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,7 @@ PHP                                                                        NEWS
 
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
+- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey)
 
 - Fixed handling of session variable serialization on certain prefix
   characters. Reported by Stefan Esser (Ilia)
diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
index 69c294368e..df400f1e5e 100644
--- a/ext/mysqlnd/mysqlnd.c
+++ b/ext/mysqlnd/mysqlnd.c
@@ -1074,14 +1074,16 @@ MYSQLND_METHOD(mysqlnd_conn, list_fields)(MYSQLND * conn, const char *table, con
 
 	p = buff;
 	if (table && (table_len = strlen(table))) {
-		memcpy(p, table, MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4));
-		p += table_len;
+		size_t to_copy = MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+		memcpy(p, table, to_copy);
+		p += to_copy;
 		*p++ = '\0';
 	}
 
 	if (achtung_wild && (wild_len = strlen(achtung_wild))) {
-		memcpy(p, achtung_wild, MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4));
-		p += wild_len;
+		size_t to_copy = MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+		memcpy(p, achtung_wild, to_copy);
+		p += to_copy;
 		*p++ = '\0';
 	}
 
-- 
2.40.0