diff options
| author | unknown <ramil/ram@mysql.com/ramil.myoffice.izhnet.ru> | 2007-04-16 12:28:02 +0500 |
|---|---|---|
| committer | unknown <ramil/ram@mysql.com/ramil.myoffice.izhnet.ru> | 2007-04-16 12:28:02 +0500 |
| commit | be90800c9f7fed4fdae2acfa12f2ea369eeb07e7 (patch) | |
| tree | 65990f1ef349da6bdb79d29bfb4c458daf474a48 | |
| parent | 0ab74abc6395af5949d3797c6a9037f3317a0acd (diff) | |
| download | mariadb-git-be90800c9f7fed4fdae2acfa12f2ea369eeb07e7.tar.gz | |
Fix for
bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow
Using strmov() to copy an argument may cause overflow
if the argument's length is bigger than the buffer:
use strmake instead.
Also, we have to encrease the error message buffer size to fit
the longest message.
client/mysql.cc:
Fix for
bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow
- use strmake() instead of strmov() to avoid buffer overflow.
mysql-test/r/mysql.result:
Fix for
bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow
- test result.
mysql-test/t/mysql.test:
Fix for
bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow
- test case.
mysys/charset.c:
Fix for
bug #27715: mysqld --character-sets-dir buffer overflow
bug ##26851: Mysql Client --pager Buffer Overflow
- encrease error message buffer size to fit the (possible) longest message.
| -rw-r--r-- | client/mysql.cc | 4 | ||||
| -rw-r--r-- | mysql-test/r/mysql.result | 4 | ||||
| -rw-r--r-- | mysql-test/t/mysql.test | 6 | ||||
| -rw-r--r-- | mysys/charset.c | 8 |
4 files changed, 16 insertions, 6 deletions
diff --git a/client/mysql.cc b/client/mysql.cc index 510420fdf3d..2ea464c2bdf 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -808,7 +808,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), break; #endif case OPT_CHARSETS_DIR: - strmov(mysql_charsets_dir, argument); + strmake(mysql_charsets_dir, argument, sizeof(mysql_charsets_dir) - 1); charsets_dir = mysql_charsets_dir; break; case OPT_DEFAULT_CHARSET: @@ -861,7 +861,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), if (argument && strlen(argument)) { default_pager_set= 1; - strmov(pager, argument); + strmake(pager, argument, sizeof(pager) - 1); strmov(default_pager, pager); } else if (default_pager_set) diff --git a/mysql-test/r/mysql.result b/mysql-test/r/mysql.result index e83bbe97eaa..74b5c42e59b 100644 --- a/mysql-test/r/mysql.result +++ b/mysql-test/r/mysql.result @@ -174,4 +174,8 @@ ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyrils_superlonghostnam 1 ERROR at line 1: DELIMITER cannot contain a backslash character ERROR at line 1: DELIMITER cannot contain a backslash character +1 +1 +1 +1 End of 5.0 tests diff --git a/mysql-test/t/mysql.test b/mysql-test/t/mysql.test index 1af7c6381fe..09e90e2ee2a 100644 --- a/mysql-test/t/mysql.test +++ b/mysql-test/t/mysql.test @@ -264,4 +264,10 @@ EOF --exec $MYSQL --version 2>&1 > /dev/null --enable_quary_log +# +# bug #26851: Mysql Client --pager Buffer Overflow +# +--exec $MYSQL --pager="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1 +--exec $MYSQL --character-sets-dir="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1 + --echo End of 5.0 tests diff --git a/mysys/charset.c b/mysys/charset.c index 9fb02f1a39f..cce97677b14 100644 --- a/mysys/charset.c +++ b/mysys/charset.c @@ -388,7 +388,7 @@ my_bool STDCALL init_available_charsets(myf myflags) static my_bool init_available_charsets(myf myflags) #endif { - char fname[FN_REFLEN]; + char fname[FN_REFLEN + sizeof(MY_CHARSET_INDEX)]; my_bool error=FALSE; /* We have to use charset_initialized to not lock on THR_LOCK_charset @@ -519,7 +519,7 @@ CHARSET_INFO *get_charset(uint cs_number, myf flags) if (!cs && (flags & MY_WME)) { - char index_file[FN_REFLEN], cs_string[23]; + char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)], cs_string[23]; strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); cs_string[0]='#'; int10_to_str(cs_number, cs_string+1, 10); @@ -539,7 +539,7 @@ CHARSET_INFO *get_charset_by_name(const char *cs_name, myf flags) if (!cs && (flags & MY_WME)) { - char index_file[FN_REFLEN]; + char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)]; strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); my_error(EE_UNKNOWN_COLLATION, MYF(ME_BELL), cs_name, index_file); } @@ -564,7 +564,7 @@ CHARSET_INFO *get_charset_by_csname(const char *cs_name, if (!cs && (flags & MY_WME)) { - char index_file[FN_REFLEN]; + char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)]; strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX); my_error(EE_UNKNOWN_CHARSET, MYF(ME_BELL), cs_name, index_file); } |