MDEV-39767: include name pool size in dynamic column get bounds check#5129
MDEV-39767: include name pool size in dynamic column get bounds check#5129jmestwa-coder wants to merge 1 commit into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the bounds check in find_column within mysys/ma_dyncol.c to include hdr->nmpool_size, preventing out-of-bounds reads when handling named-format records. It also introduces a new unit test, test_named_format_oob_nmpool, to verify this behavior. The reviewer noted that the pointer addition in the new bounds check could lead to pointer wrapping or integer overflow if the sizes are maliciously crafted, and suggested a safer validation approach using subtraction to prevent potential bypasses.
| if (hdr->header + hdr->header_size + hdr->nmpool_size > hdr->data_end) | ||
| return TRUE; |
There was a problem hiding this comment.
The pointer addition hdr->header + hdr->header_size + hdr->nmpool_size can lead to pointer wrapping or integer overflow if hdr->header_size and hdr->nmpool_size are extremely large or maliciously crafted. This could bypass the bounds check and result in an out-of-bounds read. To prevent this, perform the bounds check by comparing the sizes against the remaining buffer space without performing additions that could overflow.
if (hdr->header_size > (size_t)(hdr->data_end - hdr->header) ||
hdr->nmpool_size > (size_t)(hdr->data_end - hdr->header) - hdr->header_size)
return TRUE;There was a problem hiding this comment.
I'd second Gemini here. It's better to be safe.
gkodinov
added
the
External Contribution
gkodinov
changed the title
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Thank you for your contribution. This is a preliminary review.
LGTM. Thanks for the unit test! The improvement suggested by the AI reviewer is a good idea.
Please stand by for the final review.
| if (hdr->header + hdr->header_size + hdr->nmpool_size > hdr->data_end) | ||
| return TRUE; |
There was a problem hiding this comment.
I'd second Gemini here. It's better to be safe.
|
likely already fixed in 9a3e153 |
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Please backport to 10.6: this is a bug and it needs to be fixed in the lowest affected version.
5 participants
Found by fuzzing COLUMN_GET() with malformed blobs. In the named format
find_column() only checks that the column directory fits the record, not
the name pool, so init_read_hdr()'s data_size wraps around and read_name()
walks the name pointer past the buffer. mariadb_dyncol_check() and
mariadb_dyncol_unpack() already fold nmpool_size into this check; do the
same on the get path.