File perl-DBD-mysql-CVE-2016-1251.patch of Package perl-DBD-mysql

Overview Repositories Revisions Requests Users Attributes Meta

File perl-DBD-mysql-CVE-2016-1251.patch of Package perl-DBD-mysql

From 3619c170461a3107a258d1fd2d00ed4832adb1b1 Mon Sep 17 00:00:00 2001
From: Pali <pali@cpan.org>
Date: Fri, 18 Nov 2016 19:01:48 +0100
Subject: [PATCH] Fix use-after-free for repeated fetchrow_arrayref calls when
 mysql_server_prepare=1

Function dbd_st_fetch() via Renew() can reallocate output buffer for
mysql_stmt_fetch() call. But it does not update pointer to that buffer in
imp_sth->stmt structure initialized by mysql_stmt_bind_result() function.
That leads to use-after-free in any mysql function which access
imp_sth->stmt structure (e.g. mysql_stmt_fetch()).

This patch fix this problem and properly updates pointer in imp_sth->stmt
structure after Renew() call.

Test 40server_prepare_crash.t is extended to check for that use-after-free
crash.
---
 dbdimp.c                   |  2 ++
 2 files changed, 44 insertions(+), 3 deletions(-)

Index: DBD-mysql-4.021/dbdimp.c
===================================================================
--- DBD-mysql-4.021.orig/dbdimp.c
+++ DBD-mysql-4.021/dbdimp.c
@@ -3804,6 +3804,9 @@ dbd_st_fetch(SV *sth, imp_sth_t* imp_sth
           Renew(fbh->data, fbh->length, char);
           buffer->buffer_length= fbh->length;
           buffer->buffer= (char *) fbh->data;
+	  imp_sth->stmt->bind[i].buffer_length = fbh->length;
+	  imp_sth->stmt->bind[i].buffer = (char *)fbh->data;
+
           /*TODO: Use offset instead of 0 to fetch only remain part of data*/
           if (mysql_stmt_fetch_column(imp_sth->stmt, buffer , i, 0))
             do_error(sth, mysql_stmt_errno(imp_sth->stmt),

Places

File perl-DBD-mysql-CVE-2016-1251.patch of Package perl-DBD-mysql

Places