mirror of
				https://github.com/MariaDB/server.git
				synced 2025-10-25 18:38:00 +03:00 
			
		
		
		
	MDEV-34205: ASAN stack buffer overflow in strxnmov() in frm_file_exists
Correct the second parameter for strxnmov to prevent potential buffer overflows. The second parameter must be one less than the size of the input buffer to avoid writing past the end of the buffer. While the second parameter is usually correct, there are exceptions that need fixing. This commit addresses the issue within frm_file_exists() and other affected places.
This commit is contained in:
		| @@ -256,3 +256,8 @@ drop database mysqltest; | ||||
| Warnings: | ||||
| Note	1008	Can't drop database 'mysqltest'; database doesn't exist | ||||
| set @@session.sql_if_exists=0; | ||||
| # | ||||
| # MDEV-34205 ASAN stack-buffer-overflow in strxnmov | frm_file_exists | ||||
| # | ||||
| DROP TABLE `##################################################_long`.`#################################################_long`; | ||||
| ERROR 42S02: Unknown table '##################################################_long.#########################################...' | ||||
|   | ||||
| @@ -361,3 +361,9 @@ drop table mysqltest.does_not_exists; | ||||
| drop database mysqltest; | ||||
| drop database mysqltest; | ||||
| set @@session.sql_if_exists=0; | ||||
|  | ||||
| --echo # | ||||
| --echo # MDEV-34205 ASAN stack-buffer-overflow in strxnmov | frm_file_exists | ||||
| --echo # | ||||
| --error ER_BAD_TABLE_ERROR | ||||
| DROP TABLE `##################################################_long`.`#################################################_long`; | ||||
|   | ||||
| @@ -4356,7 +4356,7 @@ void handler::print_error(int error, myf errflag) | ||||
|   if (error < HA_ERR_FIRST && bas_ext()[0]) | ||||
|   { | ||||
|     char buff[FN_REFLEN]; | ||||
|     strxnmov(buff, sizeof(buff), | ||||
|     strxnmov(buff, sizeof(buff)-1, | ||||
|              table_share->normalized_path.str, bas_ext()[0], NULL); | ||||
|     my_error(textno, errflag, buff, error); | ||||
|   } | ||||
|   | ||||
| @@ -9564,7 +9564,7 @@ sql_kill_user(THD *thd, LEX_USER *user, killed_state state) | ||||
|     break; | ||||
|   case ER_KILL_DENIED_ERROR: | ||||
|     char buf[DEFINER_LENGTH+1]; | ||||
|     strxnmov(buf, sizeof(buf), user->user.str, "@", user->host.str, NULL); | ||||
|     strxnmov(buf, sizeof(buf)-1, user->user.str, "@", user->host.str, NULL); | ||||
|     my_printf_error(ER_KILL_DENIED_ERROR, ER_THD(thd, ER_CANNOT_USER), MYF(0), | ||||
|                     "KILL USER", buf); | ||||
|     break; | ||||
|   | ||||
| @@ -1906,7 +1906,7 @@ bool mysql_write_frm(ALTER_PARTITION_PARAM_TYPE *lpt, uint flags) | ||||
|     */ | ||||
|     build_table_filename(path, sizeof(path) - 1, lpt->alter_info->db.str, | ||||
|                          lpt->alter_info->table_name.str, "", 0); | ||||
|     strxnmov(frm_name, sizeof(frm_name), path, reg_ext, NullS); | ||||
|     strxnmov(frm_name, sizeof(frm_name)-1, path, reg_ext, NullS); | ||||
|     /*
 | ||||
|       When we are changing to use new frm file we need to ensure that we | ||||
|       don't collide with another thread in process to open the frm file. | ||||
|   | ||||
| @@ -4655,7 +4655,7 @@ bool Sys_var_timestamp::on_check_access_session(THD *thd) const | ||||
|     break; | ||||
|   } | ||||
|   char buf[1024]; | ||||
|   strxnmov(buf, sizeof(buf), "--secure-timestamp=", | ||||
|   strxnmov(buf, sizeof(buf)-1, "--secure-timestamp=", | ||||
|            secure_timestamp_levels[opt_secure_timestamp], NULL); | ||||
|   my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), buf); | ||||
|   return true; | ||||
|   | ||||
| @@ -13313,7 +13313,7 @@ ha_innobase::discard_or_import_tablespace( | ||||
| static bool frm_file_exists(const char *path) | ||||
| { | ||||
|   char buff[FN_REFLEN]; | ||||
|   strxnmov(buff, FN_REFLEN, path, reg_ext, NullS); | ||||
|   strxnmov(buff, sizeof(buff)-1, path, reg_ext, NullS); | ||||
|   return !access(buff, F_OK); | ||||
| } | ||||
| 
 | ||||
|   | ||||
		Reference in New Issue
	
	Block a user