From e61bad0769c7dbb82b03250d588a263d2958d7be Mon Sep 17 00:00:00 2001
From: Ziyi Yan <ziyi.yan23@gmail.com>
Date: Thu, 6 Dec 2018 22:36:49 +0800
Subject: [PATCH] expression: handle corrupted length in uncompress builtin
 function (#8586)

---
 expression/builtin_encryption.go      | 5 +++++
 expression/builtin_encryption_test.go | 1 +
 expression/errors.go                  | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/expression/builtin_encryption.go b/expression/builtin_encryption.go
index 7ad63ce8b26a4..207b9cc640e53 100644
--- a/expression/builtin_encryption.go
+++ b/expression/builtin_encryption.go
@@ -824,11 +824,16 @@ func (b *builtinUncompressSig) evalString(row chunk.Row) (string, bool, error) {
 		sc.AppendWarning(errZlibZData)
 		return "", true, nil
 	}
+	length := binary.LittleEndian.Uint32([]byte(payload[0:4]))
 	bytes, err := inflate([]byte(payload[4:]))
 	if err != nil {
 		sc.AppendWarning(errZlibZData)
 		return "", true, nil
 	}
+	if length < uint32(len(bytes)) {
+		sc.AppendWarning(errZlibZBuf)
+		return "", true, nil
+	}
 	return string(bytes), false, nil
 }
 
diff --git a/expression/builtin_encryption_test.go b/expression/builtin_encryption_test.go
index 85a6762089469..9c2e17d2c8453 100644
--- a/expression/builtin_encryption_test.go
+++ b/expression/builtin_encryption_test.go
@@ -381,6 +381,7 @@ func (s *testEvaluatorSuite) TestUncompress(c *C) {
 	}{
 		{decodeHex("0B000000789CCB48CDC9C95728CF2FCA4901001A0B045D"), "hello world"},         // zlib result from MySQL
 		{decodeHex("0B000000789CCA48CDC9C95728CF2FCA4901040000FFFF1A0B045D"), "hello world"}, // zlib result from TiDB
+		{decodeHex("02000000789CCB48CDC9C95728CF2FCA4901001A0B045D"), nil},                   // wrong length in the first four bytes
 		{decodeHex(""), ""},
 		{"1", nil},
 		{"1234", nil},
diff --git a/expression/errors.go b/expression/errors.go
index 1925b0b025989..4b1a3163e1453 100644
--- a/expression/errors.go
+++ b/expression/errors.go
@@ -31,7 +31,8 @@ var (
 
 	// All the un-exported errors are defined here:
 	errFunctionNotExists             = terror.ClassExpression.New(mysql.ErrSpDoesNotExist, mysql.MySQLErrName[mysql.ErrSpDoesNotExist])
-	errZlibZData                     = terror.ClassTypes.New(mysql.ErrZlibZData, mysql.MySQLErrName[mysql.ErrZlibZData])
+	errZlibZData                     = terror.ClassExpression.New(mysql.ErrZlibZData, mysql.MySQLErrName[mysql.ErrZlibZData])
+	errZlibZBuf                      = terror.ClassExpression.New(mysql.ErrZlibZBuf, mysql.MySQLErrName[mysql.ErrZlibZBuf])
 	errIncorrectArgs                 = terror.ClassExpression.New(mysql.ErrWrongArguments, mysql.MySQLErrName[mysql.ErrWrongArguments])
 	errUnknownCharacterSet           = terror.ClassExpression.New(mysql.ErrUnknownCharacterSet, mysql.MySQLErrName[mysql.ErrUnknownCharacterSet])
 	errDefaultValue                  = terror.ClassExpression.New(mysql.ErrInvalidDefault, "invalid default value")
@@ -48,6 +49,7 @@ func init() {
 		mysql.ErrDivisionByZero:                    mysql.ErrDivisionByZero,
 		mysql.ErrSpDoesNotExist:                    mysql.ErrSpDoesNotExist,
 		mysql.ErrZlibZData:                         mysql.ErrZlibZData,
+		mysql.ErrZlibZBuf:                          mysql.ErrZlibZBuf,
 		mysql.ErrWrongArguments:                    mysql.ErrWrongArguments,
 		mysql.ErrUnknownCharacterSet:               mysql.ErrUnknownCharacterSet,
 		mysql.ErrInvalidDefault:                    mysql.ErrInvalidDefault,