Commit 0f3cc95b authored by unknown's avatar unknown
Browse files

BUG#20622: Fix one-byte buffer overrun in IM directory string handling. 

The problem was a call to convert_dirname() with a destination buffer
that did not have room for the trailing slash added by that function.
This could cause the instance manager to crash in some cases.


mysys/mf_dirname.c:
  Clarify in comments that convert_dirname destination must be larger than
  source to accomodate a trailing slash.
server-tools/instance-manager/instance_options.cc:
  Fix buffer overrun.
parent 39246e2f

mysys/mf_dirname.c

+3 −1
Original line number Diff line number Diff line
@@ -72,7 +72,9 @@ uint dirname_part(my_string to, const char *name) 


  SYNPOSIS

    convert_dirname()

    to				Store result here

    to				Store result here. Must be at least of size

    				min(FN_REFLEN, strlen(from) + 1) to make room

    				for adding FN_LIBCHAR at the end.

    from			Original filename

    from_end			Pointer at end of filename (normally end \0)

server-tools/instance-manager/instance_options.cc

+7 −2
Original line number Diff line number Diff line
@@ -391,8 +391,13 @@ int Instance_options::complete_initialization(const char *default_path, 
  const char *tmp;

  char *end;



  if (!mysqld_path && !(mysqld_path= strdup_root(&alloc, default_path)))

  if (!mysqld_path)

  {

    // Need one extra byte, as convert_dirname() adds a slash at the end.

    if (!(mysqld_path= alloc_root(&alloc, strlen(default_path) + 2)))

      goto err;

    strcpy((char *)mysqld_path, default_path);

  }



  // it's safe to cast this to char* since this is a buffer we are allocating

  end= convert_dirname((char*)mysqld_path, mysqld_path, NullS);