From 13f06c38fb68757607c460789196e3f798d506f2 Mon Sep 17 00:00:00 2001
From: Filipe Silva <filipe.silva@oracle.com>
Date: Tue, 14 Jan 2020 17:56:41 +0000
Subject: [PATCH] Fix for Bug#30636056, ResultSetUtil.resultSetToMap() can be
 unsafe to use.

---
 src/com/mysql/jdbc/CallableStatement.java     |  3 +-
 src/com/mysql/jdbc/Util.java                  | 45 +------------------
 .../ServerStatusDiffInterceptor.java          |  8 ++--
 3 files changed, 6 insertions(+), 50 deletions(-)

diff --git a/src/com/mysql/jdbc/CallableStatement.java b/src/com/mysql/jdbc/CallableStatement.java
index 95b60a659..d08ba684c 100644
--- a/src/com/mysql/jdbc/CallableStatement.java
+++ b/src/com/mysql/jdbc/CallableStatement.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -179,7 +179,6 @@ protected class CallableStatementParamInfo implements ParameterMetaData {
             this.numParameters = this.parameterList.size();
         }
 
-        @SuppressWarnings("synthetic-access")
         CallableStatementParamInfo(java.sql.ResultSet paramTypesRs) throws SQLException {
             boolean hadRows = paramTypesRs.last();
 
diff --git a/src/com/mysql/jdbc/Util.java b/src/com/mysql/jdbc/Util.java
index ba4bf172c..bb921dbc6 100644
--- a/src/com/mysql/jdbc/Util.java
+++ b/src/com/mysql/jdbc/Util.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -23,7 +23,6 @@
 
 package com.mysql.jdbc;
 
-import java.io.ObjectInputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
@@ -297,27 +296,6 @@ private static RandStructcture randomInit(long seed1, long seed2) {
         return randStruct;
     }
 
-    /**
-     * Given a ResultSet and an index into the columns of that ResultSet, read
-     * binary data from the column which represents a serialized object, and
-     * re-create the object.
-     * 
-     * @param resultSet
-     *            the ResultSet to use.
-     * @param index
-     *            an index into the ResultSet.
-     * @return the object if it can be de-serialized
-     * @throws Exception
-     *             if an error occurs
-     */
-    public static Object readObject(java.sql.ResultSet resultSet, int index) throws Exception {
-        ObjectInputStream objIn = new ObjectInputStream(resultSet.getBinaryStream(index));
-        Object obj = objIn.readObject();
-        objIn.close();
-
-        return obj;
-    }
-
     private static double rnd(RandStructcture randStruct) {
         randStruct.seed1 = ((randStruct.seed1 * 3) + randStruct.seed2) % randStruct.maxValue;
         randStruct.seed2 = (randStruct.seed1 + randStruct.seed2 + 33) % randStruct.maxValue;
@@ -461,27 +439,6 @@ public static boolean interfaceExists(String hostname) {
         }
     }
 
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(1), rs.getObject(2));
-        }
-    }
-
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs, int key, int value) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(key), rs.getObject(value));
-        }
-    }
-
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs, String key, String value) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(key), rs.getObject(value));
-        }
-    }
-
     public static Map<Object, Object> calculateDifferences(Map<?, ?> map1, Map<?, ?> map2) {
         Map<Object, Object> diffMap = new HashMap<Object, Object>();
 
diff --git a/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java b/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java
index 1e6849a4e..7a1bab84d 100644
--- a/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java
+++ b/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2007, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -63,15 +63,15 @@ private void populateMapWithSessionStatusValues(Connection connection, Map<Strin
 
         try {
             toPopulate.clear();
-
             stmt = connection.createStatement();
             rs = stmt.executeQuery("SHOW SESSION STATUS");
-            Util.resultSetToMap(toPopulate, rs);
+            while (rs.next()) {
+                toPopulate.put(rs.getString(1), rs.getString(2));
+            }
         } finally {
             if (rs != null) {
                 rs.close();
             }
-
             if (stmt != null) {
                 stmt.close();
             }