From c646a66ddbc19bc8691e6cee99f3da127d7fab95 Mon Sep 17 00:00:00 2001
From: unknown <serg@serg.mylan>
Date: Sat, 11 Dec 2004 10:17:25 +0100
Subject: sql/password.c: check for buffer overflow in check_scramble_323
 (BUG#7187)

sql/password.c:
  check for buffer overflow in check_scramble_323
---
 sql/password.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'sql/password.c')

diff --git a/sql/password.c b/sql/password.c
index b9f3a07e596..04b3a46bd48 100644
--- a/sql/password.c
+++ b/sql/password.c
@@ -211,12 +211,13 @@ check_scramble_323(const char *scrambled, const char *message,
   ulong hash_message[2];
   char buff[16],*to,extra;                      /* Big enough for check */
   const char *pos;
-  
+
   hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
   randominit(&rand_st,hash_pass[0] ^ hash_message[0],
              hash_pass[1] ^ hash_message[1]);
   to=buff;
-  for (pos=scrambled ; *pos ; pos++)
+  DBUG_ASSERT(sizeof(buff) > SCRAMBLE_LENGTH_323);
+  for (pos=scrambled ; *pos && to < buff+sizeof(buff) ; pos++)
     *to++=(char) (floor(my_rnd(&rand_st)*31)+64);
   if (pos-scrambled != SCRAMBLE_LENGTH_323)
     return 1;
-- 
cgit v1.2.1