← Back to team overview

maria-developers team mailing list archive

[patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte

 

In set_var.cc, several methods construct a String object passing too
large lenght for given buffer. The String class assumes 1 more byte is
available after the given length for zero termination in
String::c_ptr().

Fix by passing proper lenght in constructor call.

---
 sql/set_var.cc   |   14 +++++++-------
 sql/sql_string.h |    4 ++++
 2 files changed, 11 insertions(+), 7 deletions(-)

Index: work-5.1-buildbot/sql/set_var.cc
===================================================================
--- work-5.1-buildbot.orig/sql/set_var.cc	2009-04-08 00:34:49.000000000 +0200
+++ work-5.1-buildbot/sql/set_var.cc	2009-04-08 00:35:43.000000000 +0200
@@ -1740,7 +1740,7 @@ bool sys_var::check_enum(THD *thd, set_v
 {
   char buff[STRING_BUFFER_USUAL_SIZE];
   const char *value;
-  String str(buff, sizeof(buff), system_charset_info), *res;
+  String str(buff, sizeof(buff) - 1, system_charset_info), *res;
 
   if (var->value->result_type() == STRING_RESULT)
   {
@@ -1777,7 +1777,7 @@ bool sys_var::check_set(THD *thd, set_va
   bool not_used;
   char buff[STRING_BUFFER_USUAL_SIZE], *error= 0;
   uint error_len= 0;
-  String str(buff, sizeof(buff), system_charset_info), *res;
+  String str(buff, sizeof(buff) - 1, system_charset_info), *res;
 
   if (var->value->result_type() == STRING_RESULT)
   {
@@ -1942,7 +1942,7 @@ bool sys_var_thd_date_time_format::updat
 bool sys_var_thd_date_time_format::check(THD *thd, set_var *var)
 {
   char buff[STRING_BUFFER_USUAL_SIZE];
-  String str(buff,sizeof(buff), system_charset_info), *res;
+  String str(buff,sizeof(buff) - 1, system_charset_info), *res;
   DATE_TIME_FORMAT *format;
 
   if (!(res=var->value->val_str(&str)))
@@ -2047,7 +2047,7 @@ bool sys_var_collation::check(THD *thd, 
   if (var->value->result_type() == STRING_RESULT)
   {
     char buff[STRING_BUFFER_USUAL_SIZE];
-    String str(buff,sizeof(buff), system_charset_info), *res;
+    String str(buff,sizeof(buff) - 1, system_charset_info), *res;
     if (!(res=var->value->val_str(&str)))
     {
       my_error(ER_WRONG_VALUE_FOR_VAR, MYF(0), name, "NULL");
@@ -2082,7 +2082,7 @@ bool sys_var_character_set::check(THD *t
   if (var->value->result_type() == STRING_RESULT)
   {
     char buff[STRING_BUFFER_USUAL_SIZE];
-    String str(buff,sizeof(buff), system_charset_info), *res;
+    String str(buff,sizeof(buff) - 1, system_charset_info), *res;
     if (!(res=var->value->val_str(&str)))
     {
       if (!nullable)
@@ -3620,7 +3620,7 @@ bool sys_var_thd_storage_engine::check(T
 {
   char buff[STRING_BUFFER_USUAL_SIZE];
   const char *value;
-  String str(buff, sizeof(buff), &my_charset_latin1), *res;
+  String str(buff, sizeof(buff) - 1, &my_charset_latin1), *res;
 
   var->save_result.plugin= NULL;
   if (var->value->result_type() == STRING_RESULT)
@@ -3737,7 +3737,7 @@ sys_var_thd_sql_mode::
 symbolic_mode_representation(THD *thd, ulonglong val, LEX_STRING *rep)
 {
   char buff[STRING_BUFFER_USUAL_SIZE*8];
-  String tmp(buff, sizeof(buff), &my_charset_latin1);
+  String tmp(buff, sizeof(buff) - 1, &my_charset_latin1);
 
   tmp.length(0);
 
Index: work-5.1-buildbot/sql/sql_string.h
===================================================================
--- work-5.1-buildbot.orig/sql/sql_string.h	2009-04-08 00:35:38.000000000 +0200
+++ work-5.1-buildbot/sql/sql_string.h	2009-04-08 00:35:43.000000000 +0200
@@ -63,6 +63,10 @@ public:
     Ptr=(char*) str; str_length=(uint) strlen(str); Alloced_length=0; alloced=0;
     str_charset=cs;
   }
+  /*
+    NOTE: the following two contructors needs the size of memory for STR to be
+    at least LEN+1 (to make room for zero termination in c_ptr()).
+  */
   String(const char *str,uint32 len, CHARSET_INFO *cs)
   { 
     Ptr=(char*) str; str_length=len; Alloced_length=0; alloced=0;

-- 



Follow ups

References