Bug#31752: check strmake() bounds

post-fixes: prevent semi-related overflow, additional comments mysys/mf_pack.c: extra comments sql/log.cc: prevent overflow (length parameter of strmake() should never become < 0) sql/sql_show.cc: additional comments sql/unireg.cc: additional comments

Bug#31752: check strmake() bounds
post-fixes: prevent semi-related overflow, additional comments mysys/mf_pack.c: extra comments sql/log.cc: prevent overflow (length parameter of strmake() should never become < 0) sql/sql_show.cc: additional comments sql/unireg.cc: additional comments
14e9797e · unknown · f61a4c8c · 14e9797e · 14e9797e · 14e9797e
Commit 14e9797e authored Dec 06, 2007 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 5 deletions

mysys/mf_pack.c mysys/mf_pack.c +2 -2

sql/log.cc sql/log.cc +1 -1

sql/sql_show.cc sql/sql_show.cc +3 -2

sql/unireg.cc sql/unireg.cc +5 -0

No files found.
--- a/mysys/mf_pack.c
+++ b/mysys/mf_pack.c
@@ -272,7 +272,7 @@ void symdirget(char *dir)

  SYNOPSIS
    unpack_dirname()
-    to			Store result here.  May be = from
+    to			result-buffer, FN_REFLEN characters. may be == from
    from		'Packed' directory name (may contain ~)

 IMPLEMENTATION
@@ -398,7 +398,7 @@ uint unpack_filename(my_string to, const char *from)

 	/* Convert filename (unix standard) to system standard */
 	/* Used before system command's like open(), create() .. */
-	/* Returns length of to */
+	/* Returns used length of to; total length should be FN_REFLEN */

 uint system_filename(my_string to, const char *from)
 {

--- a/sql/log.cc
+++ b/sql/log.cc
@@ -963,7 +963,7 @@ int MYSQL_LOG::purge_logs_before_date(time_t purge_time)
 void MYSQL_LOG::make_log_name(char* buf, const char* log_ident)
 {
  uint dir_len = dirname_length(log_file_name); 
-  if (dir_len > FN_REFLEN)
+  if (dir_len >= FN_REFLEN)
    dir_len=FN_REFLEN-1;
  strnmov(buf, log_file_name, dir_len);
  strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len -1);

--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -136,7 +136,8 @@ int mysqld_show_tables(THD *thd,const char *db,const char *wild)
 {
  Item_string *field=new Item_string("",0,thd->charset());
  List<Item> field_list;
-  char path[FN_REFLEN],*end;
+  char path[FN_REFLEN],*end;                    // for unpack_dirname()
+
  List<char> files;
  char *file_name;
  Protocol *protocol= thd->protocol;
@@ -457,7 +458,7 @@ int mysqld_extend_show_tables(THD *thd,const char *db,const char *wild)
  Item *item;
  List<char> files;
  List<Item> field_list;
-  char path[FN_REFLEN];
+  char path[FN_REFLEN];                         // for unpack_dirname()
  char *file_name;
  TABLE *table;
  Protocol *protocol= thd->protocol;

--- a/sql/unireg.cc
+++ b/sql/unireg.cc
@@ -141,6 +141,11 @@ bool mysql_create_frm(THD *thd, my_string file_name,
 	  60);
  forminfo[46]=(uchar) strlen((char*)forminfo+47);	// Length of comment
 #ifdef EXTRA_DEBUG
+  /*
+    EXTRA_DEBUG causes strmake() to initialize its buffer behind the
+    payload with a magic value to detect wrong buffer-sizes. We
+    explicitly zero that segment again.
+  */
  memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);
 #endif