[MDEV-39767] Read-past buffer in mariadb_dyncol_get_num() - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 13.0
Fix Version/s: N/A
Component/s: Server
Labels:
- contribution

Bug Category:
Not for Release Notes

Description

Found by fuzzing COLUMN_GET() with malformed blobs. In the named format
find_column() only checks that the column directory fits the record, not
the name pool, so init_read_hdr()'s data_size wraps around and read_name()
walks the name pointer past the buffer. mariadb_dyncol_check() and
mariadb_dyncol_unpack() already fold nmpool_size into this check; do the
same on the get path.

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Georgi Kodinov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2026-05-27 07:50

Updated:: 2026-06-09 09:35

Resolved:: 2026-06-09 09:35

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.