Bug#31752: check strmake() bounds

post-fixes: prevent semi-related overflow, additional comments
parent 1a95ed1d
...@@ -272,7 +272,7 @@ void symdirget(char *dir) ...@@ -272,7 +272,7 @@ void symdirget(char *dir)
SYNOPSIS SYNOPSIS
unpack_dirname() unpack_dirname()
to Store result here. May be = from to result-buffer, FN_REFLEN characters. may be == from
from 'Packed' directory name (may contain ~) from 'Packed' directory name (may contain ~)
IMPLEMENTATION IMPLEMENTATION
...@@ -398,7 +398,7 @@ uint unpack_filename(my_string to, const char *from) ...@@ -398,7 +398,7 @@ uint unpack_filename(my_string to, const char *from)
/* Convert filename (unix standard) to system standard */ /* Convert filename (unix standard) to system standard */
/* Used before system command's like open(), create() .. */ /* Used before system command's like open(), create() .. */
/* Returns length of to */ /* Returns used length of to; total length should be FN_REFLEN */
uint system_filename(my_string to, const char *from) uint system_filename(my_string to, const char *from)
{ {
......
...@@ -963,7 +963,7 @@ err: ...@@ -963,7 +963,7 @@ err:
void MYSQL_LOG::make_log_name(char* buf, const char* log_ident) void MYSQL_LOG::make_log_name(char* buf, const char* log_ident)
{ {
uint dir_len = dirname_length(log_file_name); uint dir_len = dirname_length(log_file_name);
if (dir_len > FN_REFLEN) if (dir_len >= FN_REFLEN)
dir_len=FN_REFLEN-1; dir_len=FN_REFLEN-1;
strnmov(buf, log_file_name, dir_len); strnmov(buf, log_file_name, dir_len);
strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len -1); strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len -1);
......
...@@ -136,7 +136,8 @@ int mysqld_show_tables(THD *thd,const char *db,const char *wild) ...@@ -136,7 +136,8 @@ int mysqld_show_tables(THD *thd,const char *db,const char *wild)
{ {
Item_string *field=new Item_string("",0,thd->charset()); Item_string *field=new Item_string("",0,thd->charset());
List<Item> field_list; List<Item> field_list;
char path[FN_REFLEN],*end; char path[FN_REFLEN],*end; // for unpack_dirname()
List<char> files; List<char> files;
char *file_name; char *file_name;
Protocol *protocol= thd->protocol; Protocol *protocol= thd->protocol;
...@@ -457,7 +458,7 @@ int mysqld_extend_show_tables(THD *thd,const char *db,const char *wild) ...@@ -457,7 +458,7 @@ int mysqld_extend_show_tables(THD *thd,const char *db,const char *wild)
Item *item; Item *item;
List<char> files; List<char> files;
List<Item> field_list; List<Item> field_list;
char path[FN_REFLEN]; char path[FN_REFLEN]; // for unpack_dirname()
char *file_name; char *file_name;
TABLE *table; TABLE *table;
Protocol *protocol= thd->protocol; Protocol *protocol= thd->protocol;
......
...@@ -141,6 +141,11 @@ bool mysql_create_frm(THD *thd, my_string file_name, ...@@ -141,6 +141,11 @@ bool mysql_create_frm(THD *thd, my_string file_name,
60); 60);
forminfo[46]=(uchar) strlen((char*)forminfo+47); // Length of comment forminfo[46]=(uchar) strlen((char*)forminfo+47); // Length of comment
#ifdef EXTRA_DEBUG #ifdef EXTRA_DEBUG
/*
EXTRA_DEBUG causes strmake() to initialize its buffer behind the
payload with a magic value to detect wrong buffer-sizes. We
explicitly zero that segment again.
*/
memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]); memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment