From b9380f0e76b34af223c4ef0b4fe648ddca47a59c Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Thu, 17 Dec 2009 15:58:38 -0200 Subject: Bug#48983: Bad strmake calls (length one too long) The problem is a somewhat common misusage of the strmake function. The strmake(dst, src, len) function writes at most /len/ bytes to the string pointed to by src, not including the trailing null byte. Hence, if /len/ is the exact length of the destination buffer, a one byte buffer overflow can occur if the length of the source string is equal to or greater than /len/. --- client/mysqldump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'client/mysqldump.c') diff --git a/client/mysqldump.c b/client/mysqldump.c index 1918a657316..9bbf718eebf 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -782,7 +782,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), &err_ptr, &err_len); if (err_len) { - strmake(buff, err_ptr, min(sizeof(buff), err_len)); + strmake(buff, err_ptr, min(sizeof(buff) - 1, err_len)); fprintf(stderr, "Invalid mode to --compatible: %s\n", buff); exit(1); } @@ -3452,7 +3452,7 @@ static ulong find_set(TYPELIB *lib, const char *x, uint length, for (; pos != end && *pos != ','; pos++) ; var_len= (uint) (pos - start); - strmake(buff, start, min(sizeof(buff), var_len)); + strmake(buff, start, min(sizeof(buff) - 1, var_len)); find= find_type(buff, lib, var_len); if (!find) { -- cgit v1.2.1