Commit e6ef54b3 authored by tnurnberg@sin.intern.azundris.com's avatar tnurnberg@sin.intern.azundris.com
Browse files

Bug#31588: buffer overrun when setting variables 

Buffer used when setting variables was not dimensioned to accomodate
trailing '\0'. An overflow by one character was therefore possible.
CS corrects limits to prevent such overflows.
parent 39f6cbc2

mysql-test/r/variables.result

+3 −0
Original line number Diff line number Diff line
@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test; 
select @@query_prealloc_size = @test;

@@query_prealloc_size = @test

1

set global sql_mode=repeat('a',80);

ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

End of 4.1 tests

mysql-test/t/variables.test

+8 −1
Original line number Diff line number Diff line
@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size; 
set @@query_prealloc_size = @test;

select @@query_prealloc_size = @test;



# End of 4.1 tests
 
#

# Bug#31588 buffer overrun when setting variables

#

# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.

--error 1231

set global sql_mode=repeat('a',80);



--echo End of 4.1 tests

sql/set_var.cc

+1 −1
Original line number Diff line number Diff line
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names) 
					    &not_used));

    if (error_len)

    {

      strmake(buff, error, min(sizeof(buff), error_len));

      strmake(buff, error, min(sizeof(buff) - 1, error_len));

      goto err;

    }

  }