maria-developers team mailing list archive

Thread
Date

Re: [patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte

To: knielsen@xxxxxxxxxxxxxxx
From: Michael Widenius <monty@xxxxxxxxxxxx>
Date: Wed, 8 Apr 2009 17:21:22 +0300
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20090407225321.251586809@knielsen-hq.org>
Reply-to: monty@xxxxxxxxxxxx

Hi!

>>>>> "knielsen" == knielsen  <knielsen@xxxxxxxxxxxxxxx> writes:

knielsen> In set_var.cc, several methods construct a String object passing too
knielsen> large lenght for given buffer. The String class assumes 1 more byte is
knielsen> available after the given length for zero termination in
knielsen> String::c_ptr().

knielsen> Fix by passing proper lenght in constructor call.

<cut>

ok above.
knielsen> Index: work-5.1-buildbot/sql/sql_string.h
knielsen> ===================================================================
knielsen> --- work-5.1-buildbot.orig/sql/sql_string.h	2009-04-08 00:35:38.000000000 +0200
knielsen> +++ work-5.1-buildbot/sql/sql_string.h	2009-04-08 00:35:43.000000000 +0200
knielsen> @@ -63,6 +63,10 @@ public:
knielsen>      Ptr=(char*) str; str_length=(uint) strlen(str); Alloced_length=0; alloced=0;
knielsen>      str_charset=cs;
knielsen>    }
knielsen> +  /*
knielsen> +    NOTE: the following two contructors needs the size of memory for STR to be
knielsen> +    at least LEN+1 (to make room for zero termination in c_ptr()).

Add:

If one intend to use the c_ptr() method.

knielsen> +  */
knielsen>    String(const char *str,uint32 len, CHARSET_INFO *cs)
knielsen>    { 
knielsen>      Ptr=(char*) str; str_length=len; Alloced_length=0; alloced=0;

Regards,
Monty

References

[patch 00/11] A number of fixes for buildbot-found problems
From: knielsen, 2009-04-07
[patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte
From: knielsen, 2009-04-07