database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-24 19:42:23 +03:00
Code Activity

Bug#21973610: BUFFER OVERFLOW ISSUES

Browse Source 
Description : Incorrect usage of sprintf/strcpy caused
              possible buffer overflow issues at various
              places.

Solution : - Fixed mysql_plugin and mysqlshow
           - Fixed regex library issues

Reviewed-By : Georgi Kodinov <georgi.kodinov@oracle.com>
Reviewed-By : Venkata S Murthy Sidagam <venkata.sidagam@oracle.com>
This commit is contained in:
Harin Vadodaria
2015-11-06 16:41:55 +05:30
parent fd9831410d
commit 0dbd5a8797
4 changed files with 42 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
regex/main.c
View File

@ -425,7 +425,8 @@ char *should;
(sub.rm_so != -1 && sub.rm_eo == -1) ||
(sub.rm_so != -1 && sub.rm_so < 0) ||
(sub.rm_eo != -1 && sub.rm_eo < 0) ) {
sprintf(grump, "start %ld end %ld", (long)sub.rm_so,
snprintf(grump, sizeof(grump),
"start %ld end %ld", (long)sub.rm_so,
(long)sub.rm_eo);
return(grump);
}
@ -438,7 +439,8 @@ char *should;
/* check for in range */
if ((int) sub.rm_eo > (int) strlen(str)) {
sprintf(grump, "start %ld end %ld, past end of string",
snprintf(grump, sizeof(grump),
"start %ld end %ld, past end of string",
(long)sub.rm_so, (long)sub.rm_eo);
return(grump);
}
@ -449,13 +451,15 @@ char *should;
/* check for not supposed to match */
if (should == NULL) {
sprintf(grump, "matched `%.*s'", len, p);
snprintf(grump, sizeof(grump),
"matched `%.*s'", len, p);
return(grump);
}
/* check for wrong match */
if (len != shlen || strncmp(p, should, (size_t)shlen) != 0) {
sprintf(grump, "matched `%.*s' instead", len, p);
snprintf(grump, sizeof(grump),
"matched `%.*s' instead", len, p);
return(grump);
}
if (shlen > 0)
@ -468,7 +472,8 @@ char *should;
if (shlen == 0)
shlen = 1; /* force check for end-of-string */
if (strncmp(p, at, shlen) != 0) {
sprintf(grump, "matched null at `%.20s'", p);
snprintf(grump, sizeof(grump),
"matched null at `%.20s'", p);
return(grump);
}
return(NULL);
@ -501,7 +506,7 @@ char *name;
static char efbuf[100];
my_regex_t re;
sprintf(efbuf, "REG_%s", name);
snprintf(efbuf, sizeof(efbuf), "REG_%s", name);
assert(strlen(efbuf) < sizeof(efbuf));
re.re_endp = efbuf;
(void) my_regerror(REG_ATOI, &re, efbuf, sizeof(efbuf));