[CONC-619] NULL pointer dereference in unpack_fields (libmariadb) Created: 2022-11-18  Updated: 2023-05-02

Status: Open
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: None
Fix Version/s: 3.1

Type: Bug Priority: Blocker
Reporter: Yury Chaikou Assignee: Georg Richter
Resolution: Unresolved Votes: 0
Labels: None


 Description   

libmariadb/mariadb_lib.c

    ...
 
    for (i=0; i < field_count; i++)
 
    {
 
      uint length= (uint)(row->data[i+1] - row->data[i] - 1);
 
      if (!row->data[i] && row->data[i][length])
 
        goto error;
 
    ...

Even if row->data[i] is NULL we still continue condition evaluation and dereference NULL pointer in row->data[i][length]. Possibly || should be used instead of &&.
Generated at Thu Feb 08 03:06:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.