From b9380f0e76b34af223c4ef0b4fe648ddca47a59c Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Thu, 17 Dec 2009 15:58:38 -0200 Subject: Bug#48983: Bad strmake calls (length one too long) The problem is a somewhat common misusage of the strmake function. The strmake(dst, src, len) function writes at most /len/ bytes to the string pointed to by src, not including the trailing null byte. Hence, if /len/ is the exact length of the destination buffer, a one byte buffer overflow can occur if the length of the source string is equal to or greater than /len/. --- libmysqld/lib_sql.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libmysqld') diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc index b0a47727c7c..644d4702e55 100644 --- a/libmysqld/lib_sql.cc +++ b/libmysqld/lib_sql.cc @@ -73,7 +73,7 @@ void embedded_get_error(MYSQL *mysql, MYSQL_DATA *data) NET *net= &mysql->net; struct embedded_query_result *ei= data->embedded_info; net->last_errno= ei->last_errno; - strmake(net->last_error, ei->info, sizeof(net->last_error)); + strmake(net->last_error, ei->info, sizeof(net->last_error) - 1); memcpy(net->sqlstate, ei->sqlstate, sizeof(net->sqlstate)); mysql->server_status= ei->server_status; my_free((gptr) data, MYF(0)); -- cgit v1.2.1