Commit 1a95ed1d authored by tnurnberg@mysql.com/white.intern.koehntopp.de's avatar tnurnberg@mysql.com/white.intern.koehntopp.de
Browse files

Bug#31752: check strmake() bounds 

strmake() calls are easy to get wrong. Add checks in extra
debug mode to identify possible exploits.

Remove some dead code.

Remove some off-by-one errors identified with new checks.
parent 39f6cbc2

sql/log.cc

+1 −1
Original line number Diff line number Diff line
@@ -966,7 +966,7 @@ void MYSQL_LOG::make_log_name(char* buf, const char* log_ident) 
  if (dir_len > FN_REFLEN)

    dir_len=FN_REFLEN-1;

  strnmov(buf, log_file_name, dir_len);

  strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len);

  strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len -1);

}

sql/repl_failsafe.cc

+1 −1
Original line number Diff line number Diff line
@@ -926,7 +926,7 @@ int load_master_data(THD* thd) 
			     0, (SLAVE_IO | SLAVE_SQL)))

          send_error(thd, ER_MASTER_INFO);

	strmake(active_mi->master_log_name, row[0],

		sizeof(active_mi->master_log_name));

		sizeof(active_mi->master_log_name) -1);

	active_mi->master_log_pos= my_strtoll10(row[1], (char**) 0, &error);

        /* at least in recent versions, the condition below should be false */

	if (active_mi->master_log_pos < BIN_LOG_HEADER_SIZE)

sql/set_var.cc

+1 −1
Original line number Diff line number Diff line
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names) 
					    &not_used));

    if (error_len)

    {

      strmake(buff, error, min(sizeof(buff), error_len));

      strmake(buff, error, min(sizeof(buff) - 1, error_len));

      goto err;

    }

  }

sql/sql_show.cc

+2 −2
Original line number Diff line number Diff line
@@ -136,7 +136,7 @@ int mysqld_show_tables(THD *thd,const char *db,const char *wild) 
{

  Item_string *field=new Item_string("",0,thd->charset());

  List<Item> field_list;

  char path[FN_LEN],*end;

  char path[FN_REFLEN],*end;

  List<char> files;

  char *file_name;

  Protocol *protocol= thd->protocol;
@@ -457,7 +457,7 @@ int mysqld_extend_show_tables(THD *thd,const char *db,const char *wild) 
  Item *item;

  List<char> files;

  List<Item> field_list;

  char path[FN_LEN];

  char path[FN_REFLEN];

  char *file_name;

  TABLE *table;

  Protocol *protocol= thd->protocol;

sql/unireg.cc

+3 −0
Original line number Diff line number Diff line
@@ -140,6 +140,9 @@ bool mysql_create_frm(THD *thd, my_string file_name, 
  strmake((char*) forminfo+47,create_info->comment ? create_info->comment : "",

	  60);

  forminfo[46]=(uchar) strlen((char*)forminfo+47);	// Length of comment

#ifdef EXTRA_DEBUG

  memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);

#endif



  if (my_pwrite(file,(byte*) fileinfo,64,0L,MYF_RW) ||

      my_pwrite(file,(byte*) keybuff,key_info_length,