Bug#29921423 - MEMCPY-PARAM-OVERLAP IN CLI_READ_ROWS

Anushree Prakash B · Anushree Prakash B · commit 6e5fe9c7f0b7 · 2020-05-26T19:56:18.000+05:30
DESCRIPTION
===========
There is a memcpy-param-overlap (likely leading to a multi
byte write heap buffer overflow) in function cli_read_rows
called by mysql_store_result.

FIX
===
Added appropriate boundary checks while reading the packets,
and if an invalid packet data is detected, an error is
returned.

RB: 24485
diff --git a/sql-common/client.c b/sql-common/client.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -1630,7 +1630,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
       else
       {
 	cur->data[field] = to;
-        if (len > (ulong) (end_to - to))
+        if (to > end_to || len > (ulong) (end_to - to))
         {
           free_rows(result);
           set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.`
	`1`	`+/* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.`
`2`	`2`
`3`	`3`	`This program is free software; you can redistribute it and/or modify`
`4`	`4`	`it under the terms of the GNU General Public License, version 2.0,`
`@@ -1630,7 +1630,7 @@ MYSQL_DATA cli_read_rows(MYSQL mysql,MYSQL_FIELD *mysql_fields,`
`1630`	`1630`	`else`
`1631`	`1631`	`{`
`1632`	`1632`	`cur->data[field] = to;`
`1633`		`- if (len > (ulong) (end_to - to))`
	`1633`	`+ if (to > end_to \|\| len > (ulong) (end_to - to))`
`1634`	`1634`	`{`
`1635`	`1635`	`free_rows(result);`
`1636`	`1636`	`set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);`