Commit 08c4820d authored by vasil's avatar vasil

branches/5.1:

Fix Bug#36149 Read buffer overflow in srv0start.c found during "make test"

Use strncmp(3) instead of memcmp(3) to avoid reading past end of the string
if it is empty (*str == '\0'). This bug is _not_ a buffer overflow.

Discussed with:	Sunny (via IM)
parent 033fffe6
...@@ -202,12 +202,12 @@ srv_parse_data_file_paths_and_sizes( ...@@ -202,12 +202,12 @@ srv_parse_data_file_paths_and_sizes(
str = srv_parse_megabytes(str, &size); str = srv_parse_megabytes(str, &size);
if (0 == memcmp(str, ":autoextend", if (0 == strncmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) { (sizeof ":autoextend") - 1)) {
str += (sizeof ":autoextend") - 1; str += (sizeof ":autoextend") - 1;
if (0 == memcmp(str, ":max:", if (0 == strncmp(str, ":max:",
(sizeof ":max:") - 1)) { (sizeof ":max:") - 1)) {
str += (sizeof ":max:") - 1; str += (sizeof ":max:") - 1;
...@@ -290,14 +290,15 @@ srv_parse_data_file_paths_and_sizes( ...@@ -290,14 +290,15 @@ srv_parse_data_file_paths_and_sizes(
(*data_file_names)[i] = path; (*data_file_names)[i] = path;
(*data_file_sizes)[i] = size; (*data_file_sizes)[i] = size;
if (0 == memcmp(str, ":autoextend", if (0 == strncmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) { (sizeof ":autoextend") - 1)) {
*is_auto_extending = TRUE; *is_auto_extending = TRUE;
str += (sizeof ":autoextend") - 1; str += (sizeof ":autoextend") - 1;
if (0 == memcmp(str, ":max:", (sizeof ":max:") - 1)) { if (0 == strncmp(str, ":max:",
(sizeof ":max:") - 1)) {
str += (sizeof ":max:") - 1; str += (sizeof ":max:") - 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment