This post covers a heap overflow in the InnoDB memcached plugin for MySQL. The “get” command implementation first tokenizes the key-value pairs then fetches them. If one of the keys specified in the “get” command is of the format “@@containers.name”, the table name gets copied into the row buffer at the current cursor of the buffer via memcpy(). While there is an assert for bounds checking, asserts are only used in debug builds, meaning production builds effectively have no bounds checking. This leads to the being able to achieve out of bounds write through the row buffer.

Patch The assert was removed and proper bounds checking code was added above the memcpy(). If the table length name added to the cursor exceeds REC_BUF_SLOT_SIZE, it will limit the record size to 16MiB, and the cursor will get reset to prevent overflow.