diff options
| author | unknown <serg@serg.mylan> | 2006-01-28 19:21:40 +0100 |
|---|---|---|
| committer | unknown <serg@serg.mylan> | 2006-01-28 19:21:40 +0100 |
| commit | 3b476a8ff21e763d379148b683a8d9457ce7fa2e (patch) | |
| tree | b336dde22e93d943fccd2e9f3e525e48dd1852a9 | |
| parent | 1fa5ff048864162f1c501ff23f1ae7f6520e6b4f (diff) | |
| download | mariadb-git-3b476a8ff21e763d379148b683a8d9457ce7fa2e.tar.gz | |
two buffer overflows fixed
sql/sp.cc:
use strxnmov, just in case
sql/sql_parse.cc:
init thd->security_ctx->priv_host,
otherwise - buffer overflow in db_create_routine
sql/unireg.cc:
not too nice to do bzero(buf, 9) after char buf[5], eh ?
| -rw-r--r-- | sql/sp.cc | 2 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 1 | ||||
| -rw-r--r-- | sql/unireg.cc | 6 |
3 files changed, 5 insertions, 4 deletions
diff --git a/sql/sp.cc b/sql/sp.cc index 8409f364414..bf639b13a41 100644 --- a/sql/sp.cc +++ b/sql/sp.cc @@ -501,7 +501,7 @@ db_create_routine(THD *thd, int type, sp_head *sp) else { restore_record(table, s->default_values); // Get default values for fields - strxmov(definer, thd->security_ctx->priv_user, "@", + strxnmov(definer, sizeof(definer)-1, thd->security_ctx->priv_user, "@", thd->security_ctx->priv_host, NullS); if (table->s->fields != MYSQL_PROC_FIELD_COUNT) diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index fa69266f5c4..98ed9353f80 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -1253,6 +1253,7 @@ pthread_handler_t handle_bootstrap(void *arg) thd->version=refresh_version; thd->security_ctx->priv_user= thd->security_ctx->user= (char*) my_strdup("boot", MYF(MY_WME)); + thd->security_ctx->priv_host[0]=0; buff= (char*) thd->net.buff; thd->init_for_queries(); diff --git a/sql/unireg.cc b/sql/unireg.cc index 4200a36ab58..2c5f4b34091 100644 --- a/sql/unireg.cc +++ b/sql/unireg.cc @@ -63,7 +63,7 @@ static bool make_empty_rec(THD *thd, int file, enum legacy_db_type table_type, keys number of keys to create key_info Keys to create db_file Handler to use. May be zero, in which case we use - create_info->db_type + create_info->db_type RETURN 0 ok 1 error @@ -84,7 +84,7 @@ bool mysql_create_frm(THD *thd, const char *file_name, uchar fileinfo[64],forminfo[288],*keybuff; TYPELIB formnames; uchar *screen_buff; - char buff[5]; + char buff[32]; #ifdef WITH_PARTITION_STORAGE_ENGINE partition_info *part_info= thd->lex->part_info; #endif @@ -232,7 +232,7 @@ bool mysql_create_frm(THD *thd, const char *file_name, goto err; } } - + VOID(my_seek(file,filepos,MY_SEEK_SET,MYF(0))); if (my_write(file,(byte*) forminfo,288,MYF_RW) || my_write(file,(byte*) screen_buff,info_length,MYF_RW) || |