maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #00120
[patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte
In set_var.cc, several methods construct a String object passing too
large lenght for given buffer. The String class assumes 1 more byte is
available after the given length for zero termination in
String::c_ptr().
Fix by passing proper lenght in constructor call.
---
sql/set_var.cc | 14 +++++++-------
sql/sql_string.h | 4 ++++
2 files changed, 11 insertions(+), 7 deletions(-)
Index: work-5.1-buildbot/sql/set_var.cc
===================================================================
--- work-5.1-buildbot.orig/sql/set_var.cc 2009-04-08 00:34:49.000000000 +0200
+++ work-5.1-buildbot/sql/set_var.cc 2009-04-08 00:35:43.000000000 +0200
@@ -1740,7 +1740,7 @@ bool sys_var::check_enum(THD *thd, set_v
{
char buff[STRING_BUFFER_USUAL_SIZE];
const char *value;
- String str(buff, sizeof(buff), system_charset_info), *res;
+ String str(buff, sizeof(buff) - 1, system_charset_info), *res;
if (var->value->result_type() == STRING_RESULT)
{
@@ -1777,7 +1777,7 @@ bool sys_var::check_set(THD *thd, set_va
bool not_used;
char buff[STRING_BUFFER_USUAL_SIZE], *error= 0;
uint error_len= 0;
- String str(buff, sizeof(buff), system_charset_info), *res;
+ String str(buff, sizeof(buff) - 1, system_charset_info), *res;
if (var->value->result_type() == STRING_RESULT)
{
@@ -1942,7 +1942,7 @@ bool sys_var_thd_date_time_format::updat
bool sys_var_thd_date_time_format::check(THD *thd, set_var *var)
{
char buff[STRING_BUFFER_USUAL_SIZE];
- String str(buff,sizeof(buff), system_charset_info), *res;
+ String str(buff,sizeof(buff) - 1, system_charset_info), *res;
DATE_TIME_FORMAT *format;
if (!(res=var->value->val_str(&str)))
@@ -2047,7 +2047,7 @@ bool sys_var_collation::check(THD *thd,
if (var->value->result_type() == STRING_RESULT)
{
char buff[STRING_BUFFER_USUAL_SIZE];
- String str(buff,sizeof(buff), system_charset_info), *res;
+ String str(buff,sizeof(buff) - 1, system_charset_info), *res;
if (!(res=var->value->val_str(&str)))
{
my_error(ER_WRONG_VALUE_FOR_VAR, MYF(0), name, "NULL");
@@ -2082,7 +2082,7 @@ bool sys_var_character_set::check(THD *t
if (var->value->result_type() == STRING_RESULT)
{
char buff[STRING_BUFFER_USUAL_SIZE];
- String str(buff,sizeof(buff), system_charset_info), *res;
+ String str(buff,sizeof(buff) - 1, system_charset_info), *res;
if (!(res=var->value->val_str(&str)))
{
if (!nullable)
@@ -3620,7 +3620,7 @@ bool sys_var_thd_storage_engine::check(T
{
char buff[STRING_BUFFER_USUAL_SIZE];
const char *value;
- String str(buff, sizeof(buff), &my_charset_latin1), *res;
+ String str(buff, sizeof(buff) - 1, &my_charset_latin1), *res;
var->save_result.plugin= NULL;
if (var->value->result_type() == STRING_RESULT)
@@ -3737,7 +3737,7 @@ sys_var_thd_sql_mode::
symbolic_mode_representation(THD *thd, ulonglong val, LEX_STRING *rep)
{
char buff[STRING_BUFFER_USUAL_SIZE*8];
- String tmp(buff, sizeof(buff), &my_charset_latin1);
+ String tmp(buff, sizeof(buff) - 1, &my_charset_latin1);
tmp.length(0);
Index: work-5.1-buildbot/sql/sql_string.h
===================================================================
--- work-5.1-buildbot.orig/sql/sql_string.h 2009-04-08 00:35:38.000000000 +0200
+++ work-5.1-buildbot/sql/sql_string.h 2009-04-08 00:35:43.000000000 +0200
@@ -63,6 +63,10 @@ public:
Ptr=(char*) str; str_length=(uint) strlen(str); Alloced_length=0; alloced=0;
str_charset=cs;
}
+ /*
+ NOTE: the following two contructors needs the size of memory for STR to be
+ at least LEN+1 (to make room for zero termination in c_ptr()).
+ */
String(const char *str,uint32 len, CHARSET_INFO *cs)
{
Ptr=(char*) str; str_length=len; Alloced_length=0; alloced=0;
--
Follow ups
References