Bug#51738 Unit test pfs_instr-t crashes

The unit test pfs_instr-t: - generates a very long (10,000) bytes file name - calls find_or_create_file. This leads to a buffer overflow in mysys in my_realpath(), because my_realpath and mysys file APIs in general do not test for input parameters: mysys assumes every file name is less that FN_REFLEN in length. Calling find_or_create_file with a very long file name is likely to happen when instrumenting third party code that does not use mysys, so this test is legitimate. The fix is to make find_or_create_file in the performance schema more robust in this case.
2026-01-06 05:22:24 +03:00 · 2010-03-04 18:36:54 -07:00
parent 366a68bb46
commit 01b19dbbf4
1 changed files with 21 additions and 1 deletions
--- a/storage/perfschema/pfs_instr.cc
+++ b/storage/perfschema/pfs_instr.cc
@@ -746,6 +746,26 @@ find_or_create_file(PFS_thread *thread, PFS_file_class *klass,
    }
  }

+  char safe_buffer[FN_REFLEN];
+  const char *safe_filename;
+
+  if (len >= FN_REFLEN)
+  {
+    /*
+      The instrumented code uses file names that exceeds FN_REFLEN.
+      This could be legal for instrumentation on non mysys APIs,
+      so we support it.
+      Truncate the file name so that:
+      - it fits into pfs->m_filename
+      - it is safe to use mysys apis to normalize the file name.
+    */
+    memcpy(safe_buffer, filename, FN_REFLEN - 2);
+    safe_buffer[FN_REFLEN - 1]= 0;
+    safe_filename= safe_buffer;
+  }
+  else
+    safe_filename= filename;
+
  /*
    Normalize the file name to avoid duplicates when using aliases:
    - absolute or relative paths
@@ -759,7 +779,7 @@ find_or_create_file(PFS_thread *thread, PFS_file_class *klass,
    Ignore errors, the file may not exist.
    my_realpath always provide a best effort result in buffer.
  */
-  (void) my_realpath(buffer, filename, MYF(0));
+  (void) my_realpath(buffer, safe_filename, MYF(0));

  normalized_filename= buffer;
  normalized_length= strlen(normalized_filename);