• Davi Arnaut's avatar
    Bug#48983: Bad strmake calls (length one too long) · 06a1df91
    Davi Arnaut authored
    The problem is a somewhat common misusage of the strmake function.
    The strmake(dst, src, len) function writes at most /len/ bytes to
    the string pointed to by src, not including the trailing null byte.
    Hence, if /len/ is the exact length of the destination buffer, a
    one byte buffer overflow can occur if the length of the source
    string is equal to or greater than /len/.
    
    client/mysqldump.c:
      Make room for the trailing null byte.
    libmysql/libmysql.c:
      Add comment, there is enough room in the buffer.
      Increase buffer length, two strings are concatenated.
    libmysqld/lib_sql.cc:
      Make room for the trailing null byte.
    mysys/default.c:
      Make room for the trailing null bytes.
    mysys/mf_pack.c:
      Make room for the trailing null byte.
    server-tools/instance-manager/commands.cc:
      Copy only if overflow isn't possible in both cases.
    server-tools/instance-manager/listener.cc:
      Make room for the trailing null byte.
    sql/log.cc:
      Make room for the trailing null byte.
    sql/sp_pcontext.h:
      Cosmetic fix.
    sql/sql_acl.cc:
      MAX_HOSTNAME already specifies space for the trailing null byte.
    sql/sql_parse.cc:
      Make room for the trailing null byte.
    sql/sql_table.cc:
      Make room for the trailing null byte.
    06a1df91
default.c 30.8 KB