From e6ef54b31f9f59316e5b4037a868f030a3990b3d Mon Sep 17 00:00:00 2001 From: "tnurnberg@sin.intern.azundris.com" <> Date: Thu, 18 Oct 2007 10:47:54 +0200 Subject: [PATCH] Bug#31588: buffer overrun when setting variables Buffer used when setting variables was not dimensioned to accomodate trailing '\0'. An overflow by one character was therefore possible. CS corrects limits to prevent such overflows. --- mysql-test/r/variables.result | 3 +++ mysql-test/t/variables.test | 9 ++++++++- sql/set_var.cc | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/mysql-test/r/variables.result b/mysql-test/r/variables.result index 14f1eb7d306..a5b6c308969 100644 --- a/mysql-test/r/variables.result +++ b/mysql-test/r/variables.result @@ -561,3 +561,6 @@ set @@query_prealloc_size = @test; select @@query_prealloc_size = @test; @@query_prealloc_size = @test 1 +set global sql_mode=repeat('a',80); +ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' +End of 4.1 tests diff --git a/mysql-test/t/variables.test b/mysql-test/t/variables.test index 808dc0973d4..371cd6bc9b1 100644 --- a/mysql-test/t/variables.test +++ b/mysql-test/t/variables.test @@ -447,4 +447,11 @@ set @test = @@query_prealloc_size; set @@query_prealloc_size = @test; select @@query_prealloc_size = @test; -# End of 4.1 tests +# +# Bug#31588 buffer overrun when setting variables +# +# Buffer-size Off By One. Should throw valgrind-warning without fix #31588. +--error 1231 +set global sql_mode=repeat('a',80); + +--echo End of 4.1 tests diff --git a/sql/set_var.cc b/sql/set_var.cc index 520ee5c9f70..1d18eba30a8 100644 --- a/sql/set_var.cc +++ b/sql/set_var.cc @@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names) ¬_used)); if (error_len) { - strmake(buff, error, min(sizeof(buff), error_len)); + strmake(buff, error, min(sizeof(buff) - 1, error_len)); goto err; } }