Bug#43153: Version comment is too long

mysql-client used static buffer to concatenate server- version and version_comment. Sufficiently long comments could get cut off. This was harmless, but looked daft. Now using a dynamic buffer instead. client/mysql.cc: Use dynamic rather than static buffer for server information. If we can get both version and comment, concat them and use that. Otherwise, try to use just version. If that fails too, return empty string so overly trusting callers do not crash. Release memory as needed.
2025-08-08 11:22:35 +03:00 · 2009-03-19 18:42:43 +01:00
parent 868db2f21d
commit 6f572a8eaf
1 changed files with 23 additions and 12 deletions
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -49,7 +49,7 @@ const char *VER= "14.14";
 #define MAX_COLUMN_LENGTH	     1024

 /* Buffer to hold 'version' and 'version_comment' */
-#define MAX_SERVER_VERSION_LENGTH     128
+static char *server_version= NULL;

 /* Array of options to pass to libemysqld */
 #define MAX_SERVER_ARGS               64
@@ -1236,6 +1236,7 @@ sig_handler mysql_end(int sig)
  glob_buffer.free();
  old_buffer.free();
  processed_prompt.free();
+  my_free(server_version,MYF(MY_ALLOW_ZERO_PTR));
  my_free(opt_password,MYF(MY_ALLOW_ZERO_PTR));
  my_free(opt_mysql_unix_port,MYF(MY_ALLOW_ZERO_PTR));
  my_free(histfile,MYF(MY_ALLOW_ZERO_PTR));
@@ -4365,16 +4366,11 @@ select_limit, max_join_size);
 static const char *
 server_version_string(MYSQL *con)
 {
-  static char buf[MAX_SERVER_VERSION_LENGTH] = "";
-
  /* Only one thread calls this, so no synchronization is needed */
-  if (buf[0] == '\0')
+  if (server_version == NULL)
  {
-    char *bufp = buf;
    MYSQL_RES *result;

-    bufp= strnmov(buf, mysql_get_server_info(con), sizeof buf);
-
    /* "limit 1" is protection against SQL_SELECT_LIMIT=0 */
    if (!mysql_query(con, "select @@version_comment limit 1") &&
        (result = mysql_use_result(con)))
@@ -4382,17 +4378,32 @@ server_version_string(MYSQL *con)
      MYSQL_ROW cur = mysql_fetch_row(result);
      if (cur && cur[0])
      {
-        bufp = strxnmov(bufp, sizeof buf - (bufp - buf), " ", cur[0], NullS);
+        /* version, space, comment, \0 */
+        size_t len= strlen(mysql_get_server_info(con)) + strlen(cur[0]) + 2;
+
+        if ((server_version= (char *) my_malloc(len, MYF(MY_WME))))
+        {
+          char *bufp;
+          bufp = strmov(server_version, mysql_get_server_info(con));
+          bufp = strmov(bufp, " ");
+          (void) strmov(bufp, cur[0]);
+        }
      }
      mysql_free_result(result);
    }

-    /* str*nmov doesn't guarantee NUL-termination */
-    if (bufp == buf + sizeof buf)
-      buf[sizeof buf - 1] = '\0';
+    /*
+      If for some reason we didn't get a version_comment, we'll
+      keep things simple.
+    */
+
+    if (server_version == NULL)
+    {
+      server_version= strdup(mysql_get_server_info(con));
+    }
  }

-  return buf;
+  return server_version ? server_version : "";
 }

 static int