Bug #102829 Improperly memory allocation while field metadata sending
Submitted: 5 Mar 2021 14:48 Modified: 9 Mar 2021 13:33
Reporter: Georgy Kirichenko Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S3 (Non-critical)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any

[5 Mar 2021 14:48] Georgy Kirichenko
Description:
Protocol_classic::send_field_metadata in case if client capability CLIENT_PROTOCOL_41 is enabled writes 13 bytes but allocates only 12:
 allocation:
   packet->mem_realloc(packet->length() + 12)
 writing:
   byte 1:  *pos++ = 12;  // Length of packed fields
   bytes 2-3: int2store(pos, item_charset->number);
   bytes 4-7: int4store(pos + 2, field->length);
   bytes 8-13: pos[6] = field->type;
               int2store(pos + 7, field->flags);
               pos[9] = (char)field->decimals;
               pos[10] = 0;  // For the future
               pos[11] = 0;  // For the future
  

How to repeat:
Take a look at:
https://github.com/mysql/mysql-server/blob/7ed30a748964c009d4909cb8b4b22036ebdef239/sql/pr...

Suggested fix:
Allocate one more byte
[8 Mar 2021 13:21] MySQL Verification Team
Hi Mr. Kirichenko,

Thank you for your bug report.

We have analysed it very carefully and concluded that you are correct.

Verified as reported.
[9 Mar 2021 7:22] Georgy Kirichenko
I was wrong speaking about invalid allocation - String class contract mentions that there are at least one more byte reserved for nul-terminator:
 @param alloc_length The requested string size in characters, excluding any
null terminator.

and the code is functionally correct.
[9 Mar 2021 13:33] MySQL Verification Team
Hi,

Thank you Mr. Kirichenko,

We also forgot about that fact.

Not a bug.