From 1793d1a9a3f220967721d02507dde2f5e7d80c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?= Date: Wed, 6 Nov 2024 14:29:02 +0100 Subject: [PATCH] Crash fix: Add integrity check for 'column-count' packet to 'libmariadbclient' --- deps/Makefile | 1 + .../mariadb_lib.c.metadata_column_check.patch | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 deps/mariadb-client-library/mariadb_lib.c.metadata_column_check.patch diff --git a/deps/Makefile b/deps/Makefile index 25bcc603a7..c109e06d0b 100644 --- a/deps/Makefile +++ b/deps/Makefile @@ -236,6 +236,7 @@ endif # patches for replication testing cd mariadb-client-library/mariadb_client && patch -p0 < ../mariadb_rpl.patch cd mariadb-client-library/mariadb_client && patch -p0 < ../cmakelists.txt.patch + cd mariadb-client-library/mariadb_client && patch -p0 < ../mariadb_lib.c.metadata_column_check.patch cd mariadb-client-library/mariadb_client && CC=${CC} CXX=${CXX} ${MAKE} mariadbclient # cd mariadb-client-library/mariadb_client/include && make my_config.h diff --git a/deps/mariadb-client-library/mariadb_lib.c.metadata_column_check.patch b/deps/mariadb-client-library/mariadb_lib.c.metadata_column_check.patch new file mode 100644 index 0000000000..3b63cbe536 --- /dev/null +++ b/deps/mariadb-client-library/mariadb_lib.c.metadata_column_check.patch @@ -0,0 +1,31 @@ +diff --git libmariadb/mariadb_lib.c libmariadb/mariadb_lib.c +index 027167f1..58b8283a 100644 +--- libmariadb/mariadb_lib.c ++++ libmariadb/mariadb_lib.c +@@ -3021,6 +3021,12 @@ MYSQL_FIELD *ma_duplicate_resultset_metadata(MYSQL_FIELD *fields, size_t count, + return result; + } + ++static uint8_t mysql_encode_length(uint64_t len) { ++ if (len < 251) { return 1; } ++ if (len < 65536) { return 3; } ++ if (len < 16777216) { return 4; } ++ return 9; ++} + + int mthd_my_read_query_result(MYSQL *mysql) + { +@@ -3070,6 +3076,13 @@ get_info: + + if (has_metadata) + { ++ // integrity-check: the length encoding of the field count from 'column-count' packet ++ // must match the packet length from header, otherwise packet is malformed. ++ ulong enc_len = mysql_encode_length(field_count); ++ if (enc_len != length) { ++ my_set_error(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0); ++ return -1; ++ } + // read packet metadata + mysql->fields = + mthd_my_read_metadata(mysql, field_count, 7 + ma_extended_type_info_rows(mysql));