Bug#23498283 - BUFFER OVERFLOW

DESCRIPTION =========== Buffer overflow is reported in Regex library. This can be triggered when the data corresponding to argv[1] is >= 512 bytes resutling in abnormal behaviour. ANALYSIS ======== Its a straight forward case of SEGFAULT where the target buffer is smaller than the source string to be copied. A simple pre-copy validation should do. FIX === A check is added before doing strcpy() to ensure that the target buffer is big enough to hold the to-be copied data. If the check fails, the program aborts.
author: Shishir Jaiswal <shishir.j.jaiswal@oracle.com> 2016-06-17 10:11:33 +0530
committer: Shishir Jaiswal <shishir.j.jaiswal@oracle.com> 2016-06-17 10:11:33 +0530
commit: 957aefdc8f5523a1d45775f5ce3de74c03f5ed98 (patch)
tree: a786b51049fe518ecd4c989b89b6773c0abe5569
parent: df0d8efaf25a69990cf422d55011c1c0eebdec51 (diff)
download: mariadb-git-957aefdc8f5523a1d45775f5ce3de74c03f5ed98.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/regex/split.c b/regex/split.c
index a3a11f793ed..abae74eba9c 100644
--- a/regex/split.c
+++ b/regex/split.c
@@ -159,6 +159,10 @@ char *argv[];
 
 	if (argc > 4)
 		for (n = atoi(argv[3]); n > 0; n--) {
+                        if(sizeof(buf)-1 < strlen(argv[1]))
+                        {
+                          exit(EXIT_FAILURE);
+                        }
 			(void) strcpy(buf, argv[1]);
 		}
 	else if (argc > 3)
author	Shishir Jaiswal <shishir.j.jaiswal@oracle.com>	2016-06-17 10:11:33 +0530
committer	Shishir Jaiswal <shishir.j.jaiswal@oracle.com>	2016-06-17 10:11:33 +0530
commit	957aefdc8f5523a1d45775f5ce3de74c03f5ed98 (patch)
tree	a786b51049fe518ecd4c989b89b6773c0abe5569
parent	df0d8efaf25a69990cf422d55011c1c0eebdec51 (diff)
download	mariadb-git-957aefdc8f5523a1d45775f5ce3de74c03f5ed98.tar.gz