Fix security problem in MySQL client library and server which were

recently discovered by e-matters.

1 files changed, 65 insertions, 0 deletions

diff --git a/databases/mysql-client/patches/patch-al b/databases/mysql-client/patches/patch-al
new file mode 100644
index 00000000000..b4b0e4817e8
--- /dev/null
+++ b/databases/mysql-client/patches/patch-al
@@ -0,0 +1,65 @@
+$NetBSD: patch-al,v 1.1 2002/12/13 14:19:54 tron Exp $
+
+--- libmysql/libmysql.c.orig	Thu Feb 14 18:30:17 2002
++++ libmysql/libmysql.c	Fri Dec 13 15:11:45 2002
+@@ -886,7 +886,7 @@
+   uint	field,pkt_len;
+   ulong len;
+   uchar *cp;
+-  char	*to;
++  char	*to, *end_to;
+   MYSQL_DATA *result;
+   MYSQL_ROWS **prev_ptr,*cur;
+   NET *net = &mysql->net;
+@@ -924,6 +924,7 @@
+     *prev_ptr=cur;
+     prev_ptr= &cur->next;
+     to= (char*) (cur->data+fields+1);
++    end_to=to+pkt_len-1;
+     for (field=0 ; field < fields ; field++)
+     {
+       if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
+@@ -933,6 +934,13 @@
+       else
+       {
+ 	cur->data[field] = to;
++        if (len > end_to - to)
++        {
++          free_rows(result);
++          net->last_errno=CR_UNKNOWN_ERROR;
++          strmov(net->last_error,ER(net->last_errno));
++          DBUG_RETURN(0);
++        }
+ 	memcpy(to,(char*) cp,len); to[len]=0;
+ 	to+=len+1;
+ 	cp+=len;
+@@ -967,7 +975,7 @@
+ {
+   uint field;
+   ulong pkt_len,len;
+-  uchar *pos,*prev_pos;
++  uchar *pos,*prev_pos, *end_pos;
+ 
+   if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
+     return -1;
+@@ -975,6 +983,7 @@
+     return 1;				/* End of data */
+   prev_pos= 0;				/* allowed to write at packet[-1] */
+   pos=mysql->net.read_pos;
++  end_pos=pos+pkt_len;
+   for (field=0 ; field < fields ; field++)
+   {
+     if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
+@@ -984,6 +993,12 @@
+     }
+     else
+     {
++      if (len > end_pos - pos)
++      {
++        mysql->net.last_errno=CR_UNKNOWN_ERROR;
++        strmov(mysql->net.last_error,ER(mysql->net.last_errno));
++        return -1;
++      }
+       row[field] = (char*) pos;
+       pos+=len;
+       *lengths++=len;