diff options
| author | tron <tron@pkgsrc.org> | 2002-12-13 14:19:54 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2002-12-13 14:19:54 +0000 |
| commit | b0ff42ef184abe3cbd9c7c68be91593f79d63333 (patch) | |
| tree | 03a1159924ff437a9100709f6d80fe2c893122a3 /databases/mysql-client/patches | |
| parent | 36687c3cf803d3c36dd8a97e65a38bbd01d61fd0 (diff) | |
| download | pkgsrc-b0ff42ef184abe3cbd9c7c68be91593f79d63333.tar.gz | |
Fix security problem in MySQL client library and server which were
recently discovered by e-matters.
Diffstat (limited to 'databases/mysql-client/patches')
| -rw-r--r-- | databases/mysql-client/patches/patch-al | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/databases/mysql-client/patches/patch-al b/databases/mysql-client/patches/patch-al new file mode 100644 index 00000000000..b4b0e4817e8 --- /dev/null +++ b/databases/mysql-client/patches/patch-al @@ -0,0 +1,65 @@ +$NetBSD: patch-al,v 1.1 2002/12/13 14:19:54 tron Exp $ + +--- libmysql/libmysql.c.orig Thu Feb 14 18:30:17 2002 ++++ libmysql/libmysql.c Fri Dec 13 15:11:45 2002 +@@ -886,7 +886,7 @@ + uint field,pkt_len; + ulong len; + uchar *cp; +- char *to; ++ char *to, *end_to; + MYSQL_DATA *result; + MYSQL_ROWS **prev_ptr,*cur; + NET *net = &mysql->net; +@@ -924,6 +924,7 @@ + *prev_ptr=cur; + prev_ptr= &cur->next; + to= (char*) (cur->data+fields+1); ++ end_to=to+pkt_len-1; + for (field=0 ; field < fields ; field++) + { + if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) +@@ -933,6 +934,13 @@ + else + { + cur->data[field] = to; ++ if (len > end_to - to) ++ { ++ free_rows(result); ++ net->last_errno=CR_UNKNOWN_ERROR; ++ strmov(net->last_error,ER(net->last_errno)); ++ DBUG_RETURN(0); ++ } + memcpy(to,(char*) cp,len); to[len]=0; + to+=len+1; + cp+=len; +@@ -967,7 +975,7 @@ + { + uint field; + ulong pkt_len,len; +- uchar *pos,*prev_pos; ++ uchar *pos,*prev_pos, *end_pos; + + if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) + return -1; +@@ -975,6 +983,7 @@ + return 1; /* End of data */ + prev_pos= 0; /* allowed to write at packet[-1] */ + pos=mysql->net.read_pos; ++ end_pos=pos+pkt_len; + for (field=0 ; field < fields ; field++) + { + if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) +@@ -984,6 +993,12 @@ + } + else + { ++ if (len > end_pos - pos) ++ { ++ mysql->net.last_errno=CR_UNKNOWN_ERROR; ++ strmov(mysql->net.last_error,ER(mysql->net.last_errno)); ++ return -1; ++ } + row[field] = (char*) pos; + pos+=len; + *lengths++=len; |