From 25df2289605e2a5763cf776bad57e3431eec39ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Fri, 20 Aug 2021 23:14:21 +0200
Subject: [PATCH] Fixed double-free memory corruption due to unitialized memory
 in prepared statements bind buffers #3546

---
 lib/MySQL_Protocol.cpp | 3 +++
 lib/MySQL_Session.cpp  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/lib/MySQL_Protocol.cpp b/lib/MySQL_Protocol.cpp
index 9a5072285..4bf68c9bd 100644
--- a/lib/MySQL_Protocol.cpp
+++ b/lib/MySQL_Protocol.cpp
@@ -2259,6 +2259,9 @@ stmt_execute_metadata_t * MySQL_Protocol::get_binds_from_pkt(void *ptr, unsigned
 				continue;
 			} else if (is_nulls[i]==true) {
 				// the parameter is NULL, no need to read any data from the packet
+				// NOTE: We nullify buffers here to reflect that memory wasn't
+				// initalized. See #3546.
+				binds[i].buffer = NULL;
 				continue;
 			}
 
diff --git a/lib/MySQL_Session.cpp b/lib/MySQL_Session.cpp
index dbc46b09f..b96526c20 100644
--- a/lib/MySQL_Session.cpp
+++ b/lib/MySQL_Session.cpp
@@ -3904,6 +3904,9 @@ void MySQL_Session::handler_rc0_PROCESSING_STMT_EXECUTE(MySQL_Data_Stream *myds)
 				(buffer_type == MYSQL_TYPE_DATETIME)
 			) {
 				free(CurrentQuery.stmt_meta->binds[i].buffer);
+				// NOTE: This memory should be zeroed during initialization,
+				// but we also nullify it here for extra safety. See #3546.
+				CurrentQuery.stmt_meta->binds[i].buffer = NULL;
 			}
 		}
 	}