Commit fa61c049 authored by Chaithra Gopalareddy's avatar Chaithra Gopalareddy

Bug#12347040: MEMORY LEAK IN CONVERT_TZ COULD POSSIBLY CAUSE

                    DOS ATTACKS
      
Problem:
For detailed description, see Bug#42502. This bug is a duplicate
of Bug#42502. The complete fix for Bug#42502 was not made as
proposed. Hence the bug still persists.
      
Fix:
Make the changes as proposed originally for the bugfix of 42502.
Which is to remove the allocation of the memory before we actually
check for any errors.

sql/tztime.cc:
  Remove the double allocation for tz_info
parent 5cf9e193
...@@ -1808,7 +1808,7 @@ static Time_zone* ...@@ -1808,7 +1808,7 @@ static Time_zone*
tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
{ {
TABLE *table= 0; TABLE *table= 0;
TIME_ZONE_INFO *tz_info; TIME_ZONE_INFO *tz_info= NULL;
Tz_names_entry *tmp_tzname; Tz_names_entry *tmp_tzname;
Time_zone *return_val= 0; Time_zone *return_val= 0;
int res; int res;
...@@ -1816,7 +1816,8 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) ...@@ -1816,7 +1816,8 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
my_time_t ttime; my_time_t ttime;
char buff[MAX_FIELD_WIDTH]; char buff[MAX_FIELD_WIDTH];
String abbr(buff, sizeof(buff), &my_charset_latin1); String abbr(buff, sizeof(buff), &my_charset_latin1);
char *alloc_buff, *tz_name_buff; char *alloc_buff= NULL;
char *tz_name_buff= NULL;
/* /*
Temporary arrays that are used for loading of data for filling Temporary arrays that are used for loading of data for filling
TIME_ZONE_INFO structure TIME_ZONE_INFO structure
...@@ -1836,22 +1837,6 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables) ...@@ -1836,22 +1837,6 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
DBUG_ENTER("tz_load_from_open_tables"); DBUG_ENTER("tz_load_from_open_tables");
/* Prepare tz_info for loading also let us make copy of time zone name */
if (!(alloc_buff= (char*) alloc_root(&tz_storage, sizeof(TIME_ZONE_INFO) +
tz_name->length() + 1)))
{
sql_print_error("Out of memory while loading time zone description");
return 0;
}
tz_info= (TIME_ZONE_INFO *)alloc_buff;
bzero(tz_info, sizeof(TIME_ZONE_INFO));
tz_name_buff= alloc_buff + sizeof(TIME_ZONE_INFO);
/*
By writing zero to the end we guarantee that we can call ptr()
instead of c_ptr() for time zone name.
*/
strmake(tz_name_buff, tz_name->ptr(), tz_name->length());
/* /*
Let us find out time zone id by its name (there is only one index Let us find out time zone id by its name (there is only one index
and it is specifically for this purpose). and it is specifically for this purpose).
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment