| Bug #102829 | Improperly memory allocation while field metadata sending | ||
|---|---|---|---|
| Submitted: | 5 Mar 2021 14:48 | Modified: | 9 Mar 2021 13:33 |
| Reporter: | Georgy Kirichenko | Email Updates: | |
| Status: | Not a Bug | Impact on me: | |
| Category: | MySQL Server: Connection Handling | Severity: | S3 (Non-critical) |
| Version: | 5.7 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[8 Mar 2021 13:21]
MySQL Verification Team
Hi Mr. Kirichenko, Thank you for your bug report. We have analysed it very carefully and concluded that you are correct. Verified as reported.
[9 Mar 2021 7:22]
Georgy Kirichenko
I was wrong speaking about invalid allocation - String class contract mentions that there are at least one more byte reserved for nul-terminator: @param alloc_length The requested string size in characters, excluding any null terminator. and the code is functionally correct.
[9 Mar 2021 13:33]
MySQL Verification Team
Hi, Thank you Mr. Kirichenko, We also forgot about that fact. Not a bug.
Description: Protocol_classic::send_field_metadata in case if client capability CLIENT_PROTOCOL_41 is enabled writes 13 bytes but allocates only 12: allocation: packet->mem_realloc(packet->length() + 12) writing: byte 1: *pos++ = 12; // Length of packed fields bytes 2-3: int2store(pos, item_charset->number); bytes 4-7: int4store(pos + 2, field->length); bytes 8-13: pos[6] = field->type; int2store(pos + 7, field->flags); pos[9] = (char)field->decimals; pos[10] = 0; // For the future pos[11] = 0; // For the future How to repeat: Take a look at: https://github.com/mysql/mysql-server/blob/7ed30a748964c009d4909cb8b4b22036ebdef239/sql/pr... Suggested fix: Allocate one more byte