BUG#36421684: mysql server 8.3.0 heap-buffer-overflow at Multisource_info::get_mi

pedrolgomes · pedrolgomes · commit 4c5e1f1f29ed · 2025-03-04T19:56:46.000+01:00
When using JSON fuctions as a parameter to a
SOURCE_POS_WAIT/MASTER_POS_WAIT, something that should also apply to
other functions that return text results, the string extracted from
the parameter did not have a safe pointer to it.

The cause is that the length of the string was not properly marked
inside its allocated space.

Usage of the method c_ptr_safe fixes this issue.

Change-Id: Ic2c54999293aa2e0833594754ad681d7453e03a1
diff --git a/sql/item_func.cc b/sql/item_func.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -4912,7 +4912,7 @@ longlong Item_master_pos_wait::val_int()
       return 0;
     }
 
-    mi= channel_map.get_mi(channel_str->ptr());
+    mi = channel_map.get_mi(channel_str->c_ptr_safe());
 
   }
   else

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.`
	`1`	`+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.`
`2`	`2`
`3`	`3`	`This program is free software; you can redistribute it and/or modify`
`4`	`4`	`it under the terms of the GNU General Public License, version 2.0,`
`@@ -4912,7 +4912,7 @@ longlong Item_master_pos_wait::val_int()`
`4912`	`4912`	`return 0;`
`4913`	`4913`	`}`
`4914`	`4914`
`4915`		`- mi= channel_map.get_mi(channel_str->ptr());`
	`4915`	`+ mi = channel_map.get_mi(channel_str->c_ptr_safe());`
`4916`	`4916`
`4917`	`4917`	`}`
`4918`	`4918`	`else`