Commit be90800c authored by unknown's avatar unknown

Fix for

bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow

Using strmov() to copy an argument may cause overflow 
if the argument's length is bigger than the buffer:
use strmake instead.
Also, we have to encrease the error message buffer size to fit 
the longest message.


client/mysql.cc:
  Fix for 
  bug #27715: mysqld --character-sets-dir buffer overflow
  bug ##26851: Mysql Client --pager Buffer Overflow
    - use strmake() instead of strmov() to avoid buffer overflow.
mysql-test/r/mysql.result:
  Fix for 
  bug #27715: mysqld --character-sets-dir buffer overflow
  bug ##26851: Mysql Client --pager Buffer Overflow
  
    - test result.
mysql-test/t/mysql.test:
  Fix for 
  bug #27715: mysqld --character-sets-dir buffer overflow
  bug ##26851: Mysql Client --pager Buffer Overflow
  
    - test case.
mysys/charset.c:
  Fix for 
  bug #27715: mysqld --character-sets-dir buffer overflow
  bug ##26851: Mysql Client --pager Buffer Overflow
  
    - encrease error message buffer size to fit the (possible) longest message.
parent 0ab74abc
Branches unavailable
Tags unavailable
No related merge requests found
...@@ -808,7 +808,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), ...@@ -808,7 +808,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
break; break;
#endif #endif
case OPT_CHARSETS_DIR: case OPT_CHARSETS_DIR:
strmov(mysql_charsets_dir, argument); strmake(mysql_charsets_dir, argument, sizeof(mysql_charsets_dir) - 1);
charsets_dir = mysql_charsets_dir; charsets_dir = mysql_charsets_dir;
break; break;
case OPT_DEFAULT_CHARSET: case OPT_DEFAULT_CHARSET:
...@@ -861,7 +861,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), ...@@ -861,7 +861,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
if (argument && strlen(argument)) if (argument && strlen(argument))
{ {
default_pager_set= 1; default_pager_set= 1;
strmov(pager, argument); strmake(pager, argument, sizeof(pager) - 1);
strmov(default_pager, pager); strmov(default_pager, pager);
} }
else if (default_pager_set) else if (default_pager_set)
......
...@@ -174,4 +174,8 @@ ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyrils_superlonghostnam ...@@ -174,4 +174,8 @@ ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyrils_superlonghostnam
1 1
ERROR at line 1: DELIMITER cannot contain a backslash character ERROR at line 1: DELIMITER cannot contain a backslash character
ERROR at line 1: DELIMITER cannot contain a backslash character ERROR at line 1: DELIMITER cannot contain a backslash character
1
1
1
1
End of 5.0 tests End of 5.0 tests
...@@ -264,4 +264,10 @@ EOF ...@@ -264,4 +264,10 @@ EOF
--exec $MYSQL --version 2>&1 > /dev/null --exec $MYSQL --version 2>&1 > /dev/null
--enable_quary_log --enable_quary_log
#
# bug #26851: Mysql Client --pager Buffer Overflow
#
--exec $MYSQL --pager="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1
--exec $MYSQL --character-sets-dir="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1
--echo End of 5.0 tests --echo End of 5.0 tests
...@@ -388,7 +388,7 @@ my_bool STDCALL init_available_charsets(myf myflags) ...@@ -388,7 +388,7 @@ my_bool STDCALL init_available_charsets(myf myflags)
static my_bool init_available_charsets(myf myflags) static my_bool init_available_charsets(myf myflags)
#endif #endif
{ {
char fname[FN_REFLEN]; char fname[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
my_bool error=FALSE; my_bool error=FALSE;
/* /*
We have to use charset_initialized to not lock on THR_LOCK_charset We have to use charset_initialized to not lock on THR_LOCK_charset
...@@ -519,7 +519,7 @@ CHARSET_INFO *get_charset(uint cs_number, myf flags) ...@@ -519,7 +519,7 @@ CHARSET_INFO *get_charset(uint cs_number, myf flags)
if (!cs && (flags & MY_WME)) if (!cs && (flags & MY_WME))
{ {
char index_file[FN_REFLEN], cs_string[23]; char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)], cs_string[23];
strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
cs_string[0]='#'; cs_string[0]='#';
int10_to_str(cs_number, cs_string+1, 10); int10_to_str(cs_number, cs_string+1, 10);
...@@ -539,7 +539,7 @@ CHARSET_INFO *get_charset_by_name(const char *cs_name, myf flags) ...@@ -539,7 +539,7 @@ CHARSET_INFO *get_charset_by_name(const char *cs_name, myf flags)
if (!cs && (flags & MY_WME)) if (!cs && (flags & MY_WME))
{ {
char index_file[FN_REFLEN]; char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
my_error(EE_UNKNOWN_COLLATION, MYF(ME_BELL), cs_name, index_file); my_error(EE_UNKNOWN_COLLATION, MYF(ME_BELL), cs_name, index_file);
} }
...@@ -564,7 +564,7 @@ CHARSET_INFO *get_charset_by_csname(const char *cs_name, ...@@ -564,7 +564,7 @@ CHARSET_INFO *get_charset_by_csname(const char *cs_name,
if (!cs && (flags & MY_WME)) if (!cs && (flags & MY_WME))
{ {
char index_file[FN_REFLEN]; char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
my_error(EE_UNKNOWN_CHARSET, MYF(ME_BELL), cs_name, index_file); my_error(EE_UNKNOWN_CHARSET, MYF(ME_BELL), cs_name, index_file);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment