diff options
| author | Olivier Bertrand <bertrandop@gmail.com> | 2014-09-27 12:09:37 +0200 |
|---|---|---|
| committer | Olivier Bertrand <bertrandop@gmail.com> | 2014-09-27 12:09:37 +0200 |
| commit | 8585a6b58654610839139653e7793d7e6e485199 (patch) | |
| tree | 8db21e0240c90a6f2da1f72e2e5f7b7824b46373 /storage/connect/tabxcl.cpp | |
| parent | 6a00401a6090b58c2141da86b19fcc17e7102072 (diff) | |
| download | mariadb-git-8585a6b58654610839139653e7793d7e6e485199.tar.gz | |
- Fix: Crash of an XCOL table when the Colname column size is too small.
Was because of buffer overrun in XCLCOL::ReadColumn.
The Cbuf buffer was unconditionally filled Now it is limited to its size.
This happened because this buffer was allocated according to the XCOL
column size. It is now allocated according to the source column size.
modified:
storage/connect/plgdbsem.h
storage/connect/tabutil.h
storage/connect/tabxcl.cpp
storage/connect/tabxcl.h
Diffstat (limited to 'storage/connect/tabxcl.cpp')
| -rw-r--r-- | storage/connect/tabxcl.cpp | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/storage/connect/tabxcl.cpp b/storage/connect/tabxcl.cpp index bd3d57257ff..66e2577056a 100644 --- a/storage/connect/tabxcl.cpp +++ b/storage/connect/tabxcl.cpp @@ -184,7 +184,7 @@ bool TDBXCL::OpenDB(PGLOBAL g) /* Check and initialize the subtable columns. */ /*********************************************************************/ for (PCOL cp = Columns; cp; cp = cp->GetNext()) - if (((PXCLCOL)cp)->Init(g)) + if (((PPRXCOL)cp)->Init(g)) return TRUE; /*********************************************************************/ @@ -240,13 +240,26 @@ XCLCOL::XCLCOL(PGLOBAL g, PCOLDEF cdp, PTDB tdbp, PCOL cprec, int i) : PRXCOL(cdp, tdbp, cprec, i, "XCL") { // Set additional XXL access method information for column. - Cbuf = (char*)PlugSubAlloc(g, NULL, Long + 1); + Cbuf = NULL; // Will be allocated later Cp = NULL; // Pointer to current position in Cbuf Sep = ((PTDBXCL)tdbp)->Sep; AddStatus(BUF_READ); // Only evaluated from TDBXCL::ReadDB } // end of XCLCOL constructor /***********************************************************************/ +/* XCLCOL initialization routine. */ +/* Allocate Cbuf that will contain the Colp value. */ +/***********************************************************************/ +bool XCLCOL::Init(PGLOBAL g, PTDBASE tp) + { + if (PRXCOL::Init(g, tp)) + return true; + + Cbuf = (char*)PlugSubAlloc(g, NULL, Colp->GetLength() + 1); + return false; + } // end of Init + +/***********************************************************************/ /* What this routine does is to get the comma-separated string */ /* from the source table column, extract the single values and */ /* set the flag for the table ReadDB function. */ @@ -255,7 +268,8 @@ void XCLCOL::ReadColumn(PGLOBAL g) { if (((PTDBXCL)To_Tdb)->New) { Colp->Eval(g); - strcpy(Cbuf, To_Val->GetCharValue()); + strncpy(Cbuf, To_Val->GetCharValue(), Colp->GetLength()); + Cbuf[Colp->GetLength()] = 0; Cp = Cbuf; } // endif New |