hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix possible out-of-bounds reads in modutil_count_statements

Browse Source 
The pointer manipulation in modutil_count_statements assumed that if a
semicolon is found, it is not the last character in the buffer. It also
assumed that the buffer contained at least one readable character.
This commit is contained in:
Markus Mäkelä
2017-08-17 15:54:44 +03:00
parent f98d4c1dbf
commit fe580d272f
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
server/core/modutil.c
View File

@ -1018,28 +1018,33 @@ GWBUF* modutil_create_query(const char* query)
*/
int modutil_count_statements(GWBUF* buffer)
{
char* ptr = ((char*)(buffer)->start + 5);
char* start = ((char*)(buffer)->start + 5);
char* ptr = start;
char* end = ((char*)(buffer)->end);
int num = 1;
while (ptr < end && (ptr = strnchr_esc(ptr, ';', end - ptr)))
{
num++;
while (*ptr == ';')
while (ptr < end && *ptr == ';')
{
ptr++;
}
}
ptr = end - 1;
while (isspace(*ptr))
{
ptr--;
}
if (*ptr == ';')
if (ptr >= start && ptr < end)
{
num--;
while (ptr > start && isspace(*ptr))
{
ptr--;
}
if (*ptr == ';')
{
num--;
}
}
return num;