← Back to team overview

maria-developers team mailing list archive

Re: [patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte



>>>>> "knielsen" == knielsen  <knielsen@xxxxxxxxxxxxxxx> writes:

knielsen> In set_var.cc, several methods construct a String object passing too
knielsen> large lenght for given buffer. The String class assumes 1 more byte is
knielsen> available after the given length for zero termination in
knielsen> String::c_ptr().

knielsen> Fix by passing proper lenght in constructor call.


ok above.
knielsen> Index: work-5.1-buildbot/sql/sql_string.h
knielsen> ===================================================================
knielsen> --- work-5.1-buildbot.orig/sql/sql_string.h	2009-04-08 00:35:38.000000000 +0200
knielsen> +++ work-5.1-buildbot/sql/sql_string.h	2009-04-08 00:35:43.000000000 +0200
knielsen> @@ -63,6 +63,10 @@ public:
knielsen>      Ptr=(char*) str; str_length=(uint) strlen(str); Alloced_length=0; alloced=0;
knielsen>      str_charset=cs;
knielsen>    }
knielsen> +  /*
knielsen> +    NOTE: the following two contructors needs the size of memory for STR to be
knielsen> +    at least LEN+1 (to make room for zero termination in c_ptr()).


If one intend to use the c_ptr() method.

knielsen> +  */
knielsen>    String(const char *str,uint32 len, CHARSET_INFO *cs)
knielsen>    { 
knielsen>      Ptr=(char*) str; str_length=len; Alloced_length=0; alloced=0;