From 0b37e288a6009d56b537217c920e46fd3bc39395 Mon Sep 17 00:00:00 2001
From: pr-hung <bkedx0000@gmail.com>
Date: Wed, 11 Mar 2026 23:11:12 +0800
Subject: [PATCH] Fix potential vulnerability in cloned code
 (phx_percona/percona/sql/sql_acl.cc)

---
 phx_percona/percona/sql/sql_acl.cc | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/phx_percona/percona/sql/sql_acl.cc b/phx_percona/percona/sql/sql_acl.cc
index 0d243a0..fa22e80 100644
--- a/phx_percona/percona/sql/sql_acl.cc
+++ b/phx_percona/percona/sql/sql_acl.cc
@@ -10500,6 +10500,9 @@ char *get_56_lenc_string(char **buffer,
 {
   static char empty_string[1]= { '\0' };
   char *begin= *buffer;
+  uchar *pos= (uchar *)begin;
+  size_t required_length= 9;
+
 
   if (*max_bytes_available == 0)
     return NULL;
@@ -10520,6 +10523,29 @@ char *get_56_lenc_string(char **buffer,
     return empty_string;
   }
 
+  /* Make sure we have enough bytes available for net_field_length_ll */
+  {
+    DBUG_EXECUTE_IF("buffer_too_short_3",
+                    *pos= 252; *max_bytes_available= 2;
+    );
+    DBUG_EXECUTE_IF("buffer_too_short_4",
+                    *pos= 253; *max_bytes_available= 3;
+    );
+    DBUG_EXECUTE_IF("buffer_too_short_9",
+                    *pos= 254; *max_bytes_available= 8;
+    );
+
+    if (*pos <= 251)
+      required_length= 1;
+    if (*pos == 252)
+      required_length= 3;
+    if (*pos == 253)
+      required_length= 4;
+
+    if (*max_bytes_available < required_length)
+      return NULL;
+  }
+
   *string_length= (size_t)net_field_length_ll((uchar **)buffer);
 
   DBUG_EXECUTE_IF("sha256_password_scramble_too_long",
@@ -10527,6 +10553,9 @@ char *get_56_lenc_string(char **buffer,
   );
 
   size_t len_len= (size_t)(*buffer - begin);
+
+  DBUG_ASSERT((*max_bytes_available >= len_len) &&
+              (len_len == required_length));
   
   if (*string_length > *max_bytes_available - len_len)
     return NULL;