From 5a82e858763d46466d697b040ccc7ce043ebc2b7 Mon Sep 17 00:00:00 2001 From: Logan Brown Date: Thu, 23 Oct 2025 16:30:49 -0400 Subject: [PATCH] Fix integer overflow when reading MySQL OK packets (#23993) ### Description This PR fixes a crash caused by integer underflow in `OKPacket.decodeInternal`. Previously, when `read_size` exceeded `packet_size`, the subtraction `packet_size - read_size` wrapped around, producing a huge `count` value passed into `reader.read()`. This led to an integer overflow panic at runtime. ### What does this PR do - Added a safe subtraction guard in `decodeInternal` to clamp `remaining` to `0` when `read_size >= packet_size`. - Ensures empty or truncated OK packets no longer cause crashes. - Behavior for valid packets remains unchanged. ### Impact Prevents integer overflow panics in MySQL OK packet parsing, improving stability when handling short or empty responses (e.g., queries that return no rows or minimal metadata). ### How did you verify your code works? Tested with proof of concept: https://github.com/Lillious/Bun-MySql-Integer-Overflow-PoC --------- Co-authored-by: Ciro Spaciari --- src/sql/mysql/protocol/OKPacket.zig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/sql/mysql/protocol/OKPacket.zig b/src/sql/mysql/protocol/OKPacket.zig index d9483d6b8b..876d6f070d 100644 --- a/src/sql/mysql/protocol/OKPacket.zig +++ b/src/sql/mysql/protocol/OKPacket.zig @@ -33,9 +33,9 @@ pub fn decodeInternal(this: *OKPacket, comptime Context: type, reader: NewReader this.warnings = try reader.int(u16); // Info (EOF-terminated string) - if (reader.peek().len > 0) { - // everything else is info - this.info = try reader.read(@truncate(this.packet_size - read_size)); + if (reader.peek().len > 0 and this.packet_size > read_size) { + const remaining = this.packet_size - read_size; + this.info = try reader.read(@truncate(remaining)); } }