MDEV-12799 Buffer overflow

with a specially corrupted master.info one can get an invalid heartbeat_period that will trigger a heap overflow.

MDEV-12799 Buffer overflow
with a specially corrupted master.info one can get an invalid heartbeat_period that will trigger a heap overflow.
2e1428c0 · Sergei Golubchik · e0352fb0 · 2e1428c0
Commit 2e1428c0 authored May 15, 2017 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

sql/rpl_mi.cc sql/rpl_mi.cc +3 -3

No files found.
--- a/sql/rpl_mi.cc
+++ b/sql/rpl_mi.cc
@@ -401,7 +401,7 @@ file '%s')", fname);
    mi->connect_retry= (uint) connect_retry;
    mi->ssl= (my_bool) ssl;
    mi->ssl_verify_server_cert= ssl_verify_server_cert;
-    mi->heartbeat_period= master_heartbeat_period;
+    mi->heartbeat_period= min(SLAVE_MAX_HEARTBEAT_PERIOD, master_heartbeat_period);
  }
  DBUG_PRINT("master_info",("log_file_name: %s  position: %ld",
                            mi->master_log_name,
@@ -518,8 +518,8 @@ int flush_master_info(Master_info* mi,
     contents of file). But because of number of lines in the first line
     of file we don't care about this garbage.
  */
-  char heartbeat_buf[sizeof(mi->heartbeat_period) * 4]; // buffer to suffice always
+  char heartbeat_buf[FLOATING_POINT_BUFFER];
-  sprintf(heartbeat_buf, "%.3f", mi->heartbeat_period);
+  my_fcvt(mi->heartbeat_period, 3, heartbeat_buf, NULL);
  my_b_seek(file, 0L);
  my_b_printf(file,
              "%u\n%s\n%s\n%s\n%s\n%s\n%d\n%d\n%d\n%s\n%s\n%s\n%s\n%s\n%d\n%s\n%s\n%s\n",