diff options
| author | Nirbhay Choubey <nirbhay.choubey@oracle.com> | 2013-01-04 16:38:12 +0530 |
|---|---|---|
| committer | Nirbhay Choubey <nirbhay.choubey@oracle.com> | 2013-01-04 16:38:12 +0530 |
| commit | 138217a201a3b186f12cb11e212e2c8b5c4446cd (patch) | |
| tree | 01ce81398a02590558cbe0ddf738c53e520af187 /mysys | |
| parent | c72f687f21d6fb4750f3d05221be8b039ee11fdf (diff) | |
| download | mariadb-git-138217a201a3b186f12cb11e212e2c8b5c4446cd.tar.gz | |
Bug#16066243 PB2 FAILURES I_MAIN.BUG15912213 AND
I_MAIN.CTYPE_UTF8 FOR MACOSX10.6 FOR 5.1
While converting directory name to filename, a
file separator (FN_LIBCHAR) might get appended
to the resulting file name. This can result in
off-by-one error when length of the input string
is equal to FN_REFLEN. In this case, the terminating
'\0' gets written beyond the buffer allocated to store
the result.
Fixed by incrementing the dst buffer size by 1. As
extra safety, switched to strnmov() and added a debug
assert to check the length of the input file name.
No test case added as the scenario is already
covered by the test cases added for bugs in
the description.
Diffstat (limited to 'mysys')
| -rw-r--r-- | mysys/my_lib.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/mysys/my_lib.c b/mysys/my_lib.c index c18d14fb549..41dc8f46f8e 100644 --- a/mysys/my_lib.c +++ b/mysys/my_lib.c @@ -103,7 +103,7 @@ MY_DIR *my_dir(const char *path, myf MyFlags) MEM_ROOT *names_storage; DIR *dirp; struct dirent *dp; - char tmp_path[FN_REFLEN+1],*tmp_file; + char tmp_path[FN_REFLEN + 2], *tmp_file; #ifdef THREAD char dirent_tmp[sizeof(struct dirent)+_POSIX_PATH_MAX+1]; #endif @@ -215,10 +215,11 @@ char * directory_file_name (char * dst, const char *src) /* Process as Unix format: just remove test the final slash. */ char * end; + DBUG_ASSERT(strlen(src) < (FN_REFLEN + 1)); if (src[0] == 0) src= (char*) "."; /* Use empty as current */ - end=strmov(dst, src); + end= strnmov(dst, src, FN_REFLEN + 1); if (end[-1] != FN_LIBCHAR) { end[0]=FN_LIBCHAR; /* Add last '/' */ |