Fixed double-free memory corruption due to unitialized memory in prepared statements bind buffers #3546

5 years ago · 25df228960
parent 82532c34ce
commit 25df228960
2 changed files with 6 additions and 0 deletions
--- a/lib/MySQL_Protocol.cpp
+++ b/lib/MySQL_Protocol.cpp
@ -2259,6 +2259,9 @@ stmt_execute_metadata_t * MySQL_Protocol::get_binds_from_pkt(void *ptr, unsigned
 				continue;
 			} else if (is_nulls[i]==true) {
 				// the parameter is NULL, no need to read any data from the packet
+				// NOTE: We nullify buffers here to reflect that memory wasn't
+				// initalized. See #3546.
+				binds[i].buffer = NULL;
 				continue;
 			}

--- a/lib/MySQL_Session.cpp
+++ b/lib/MySQL_Session.cpp
@ -3904,6 +3904,9 @@ void MySQL_Session::handler_rc0_PROCESSING_STMT_EXECUTE(MySQL_Data_Stream *myds)
 				(buffer_type == MYSQL_TYPE_DATETIME)
 			) {
 				free(CurrentQuery.stmt_meta->binds[i].buffer);
+				// NOTE: This memory should be zeroed during initialization,
+				// but we also nullify it here for extra safety. See #3546.
+				CurrentQuery.stmt_meta->binds[i].buffer = NULL;
 			}
 		}
 	}