Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.6, 10.11, 11.4, 11.8, 12.3
-
None
-
Not for Release Notes
Description
Numerous issues in how COM_STMT_EXECUTE validates parameter values. For example
|
static ulong get_param_length(uchar **packet, ulong len) |
if (len < 4) |
return 0; |
if (*pos == 253) |
{
|
(*packet)+=4;
|
return (ulong) uint3korr(pos+1); |
}
|
if (len < 5) |
return 0; |
(*packet)+=9; // Must be 254 when here |
Note that compares with 5 but adds 9. Or
|
void Item_param::set_param_str(uchar **pos, ulong len) |
ulong length= get_param_length(pos, len);
|
if (length == 0 && m_empty_string_is_null) |
set_null();
|
else |
{
|
if (length > len) |
Here it compares length with the original len although pos was already advanced in get_param_length(). There are other issues too.
Reported by Tristan.