Commit f46d0fae authored by Timothy Smith's avatar Timothy Smith

Complete application of InnoDB snapshot innodb-5.1-ss2485, part 2. Fixes

Bug #36149: Read buffer overflow in srv0start.c found during "make test"


Detailed revision comments:

r2485 | vasil | 2008-05-28 16:01:14 +0300 (Wed, 28 May 2008) | 9 lines
branches/5.1:

Fix Bug#36149 Read buffer overflow in srv0start.c found during "make test"

Use strncmp(3) instead of memcmp(3) to avoid reading past end of the string
if it is empty (*str == '\0'). This bug is _not_ a buffer overflow.

Discussed with:	Sunny (via IM)
parent 395eae0f
......@@ -202,13 +202,13 @@ srv_parse_data_file_paths_and_sizes(
str = srv_parse_megabytes(str, &size);
if (0 == memcmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) {
if (0 == strncmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) {
str += (sizeof ":autoextend") - 1;
if (0 == memcmp(str, ":max:",
(sizeof ":max:") - 1)) {
if (0 == strncmp(str, ":max:",
(sizeof ":max:") - 1)) {
str += (sizeof ":max:") - 1;
......@@ -290,14 +290,15 @@ srv_parse_data_file_paths_and_sizes(
(*data_file_names)[i] = path;
(*data_file_sizes)[i] = size;
if (0 == memcmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) {
if (0 == strncmp(str, ":autoextend",
(sizeof ":autoextend") - 1)) {
*is_auto_extending = TRUE;
str += (sizeof ":autoextend") - 1;
if (0 == memcmp(str, ":max:", (sizeof ":max:") - 1)) {
if (0 == strncmp(str, ":max:",
(sizeof ":max:") - 1)) {
str += (sizeof ":max:") - 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment