Bug #44767: invalid memory reads in password() and

            old_password() functions   
The PASSWORD() and OLD_PASSWORD() functions could lead to   
memory reads outside of an internal buffer when used with BLOB   
arguments.   
  
String::c_ptr() assumes there is at least one extra byte  
in the internally allocated buffer when adding the trailing  
'\0'.  This, however, may not be the case when a String object  
was initialized with externally allocated buffer.  
  
The bug was fixed by adding an additional "length" argument to  
make_scrambled_password_323() and make_scrambled_password() in  
order to avoid String::c_ptr() calls for  
PASSWORD()/OLD_PASSWORD().  
  
However, since the make_scrambled_password[_323] functions are  
a part of the client library ABI, the functions with the new  
interfaces were implemented with the 'my_' prefix in their  
names, with the old functions changed to be wrappers around  
the new ones to maintain interface compatibility.  

1 files changed, 2 insertions, 2 deletions

diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h
index 1c5346ab074..f2cb4d2d32a 100644
--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -281,7 +281,7 @@ public:
   String *val_str(String *str);
   void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; }
   const char *func_name() const { return "password"; }
-  static char *alloc(THD *thd, const char *password);
+  static char *alloc(THD *thd, const char *password, size_t pass_len);
 };
 
 
@@ -300,7 +300,7 @@ public:
   String *val_str(String *str);
   void fix_length_and_dec() { max_length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323; } 
   const char *func_name() const { return "old_password"; }
-  static char *alloc(THD *thd, const char *password);
+  static char *alloc(THD *thd, const char *password, size_t pass_len);
 };