diff options
| author | Harin Vadodaria <harin.vadodaria@oracle.com> | 2015-11-06 16:41:55 +0530 |
|---|---|---|
| committer | Harin Vadodaria <harin.vadodaria@oracle.com> | 2015-11-06 16:41:55 +0530 |
| commit | 0dbd5a8797ed4bd18e8b883988fb62177eb0f73f (patch) | |
| tree | 1bab2534ca81a99100fa6ed3edcd8111a058d25f /regex | |
| parent | fd9831410dfc878420fcd95dc576b955e94d2c76 (diff) | |
| download | mariadb-git-0dbd5a8797ed4bd18e8b883988fb62177eb0f73f.tar.gz | |
Bug#21973610: BUFFER OVERFLOW ISSUES
Description : Incorrect usage of sprintf/strcpy caused
possible buffer overflow issues at various
places.
Solution : - Fixed mysql_plugin and mysqlshow
- Fixed regex library issues
Reviewed-By : Georgi Kodinov <georgi.kodinov@oracle.com>
Reviewed-By : Venkata S Murthy Sidagam <venkata.sidagam@oracle.com>
Diffstat (limited to 'regex')
| -rw-r--r-- | regex/main.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/regex/main.c b/regex/main.c index f5b591907cf..d35d5a93734 100644 --- a/regex/main.c +++ b/regex/main.c @@ -425,7 +425,8 @@ char *should; (sub.rm_so != -1 && sub.rm_eo == -1) || (sub.rm_so != -1 && sub.rm_so < 0) || (sub.rm_eo != -1 && sub.rm_eo < 0) ) { - sprintf(grump, "start %ld end %ld", (long)sub.rm_so, + snprintf(grump, sizeof(grump), + "start %ld end %ld", (long)sub.rm_so, (long)sub.rm_eo); return(grump); } @@ -438,7 +439,8 @@ char *should; /* check for in range */ if ((int) sub.rm_eo > (int) strlen(str)) { - sprintf(grump, "start %ld end %ld, past end of string", + snprintf(grump, sizeof(grump), + "start %ld end %ld, past end of string", (long)sub.rm_so, (long)sub.rm_eo); return(grump); } @@ -449,13 +451,15 @@ char *should; /* check for not supposed to match */ if (should == NULL) { - sprintf(grump, "matched `%.*s'", len, p); + snprintf(grump, sizeof(grump), + "matched `%.*s'", len, p); return(grump); } /* check for wrong match */ if (len != shlen || strncmp(p, should, (size_t)shlen) != 0) { - sprintf(grump, "matched `%.*s' instead", len, p); + snprintf(grump, sizeof(grump), + "matched `%.*s' instead", len, p); return(grump); } if (shlen > 0) @@ -468,7 +472,8 @@ char *should; if (shlen == 0) shlen = 1; /* force check for end-of-string */ if (strncmp(p, at, shlen) != 0) { - sprintf(grump, "matched null at `%.20s'", p); + snprintf(grump, sizeof(grump), + "matched null at `%.20s'", p); return(grump); } return(NULL); @@ -501,7 +506,7 @@ char *name; static char efbuf[100]; my_regex_t re; - sprintf(efbuf, "REG_%s", name); + snprintf(efbuf, sizeof(efbuf), "REG_%s", name); assert(strlen(efbuf) < sizeof(efbuf)); re.re_endp = efbuf; (void) my_regerror(REG_ATOI, &re, efbuf, sizeof(efbuf)); |