BUG#20622: Fix one-byte buffer overrun in IM directory string handling.

The problem was a call to convert_dirname() with a destination buffer that did not have room for the trailing slash added by that function. This could cause the instance manager to crash in some cases.
2025-08-01 03:47:19 +03:00 · 2006-06-23 14:50:02 +02:00
parent 01046bb756
commit 98a5cdfe4c
2 changed files with 10 additions and 3 deletions
--- a/mysys/mf_dirname.c
+++ b/mysys/mf_dirname.c
@ -72,7 +72,9 @@ uint dirname_part(my_string to, const char *name)

  SYNPOSIS
    convert_dirname()
-    to				Store result here
+    to				Store result here. Must be at least of size
+    				min(FN_REFLEN, strlen(from) + 1) to make room
+    				for adding FN_LIBCHAR at the end.
    from			Original filename
    from_end			Pointer at end of filename (normally end \0)

--- a/server-tools/instance-manager/instance_options.cc
+++ b/server-tools/instance-manager/instance_options.cc
@ -391,8 +391,13 @@ int Instance_options::complete_initialization(const char *default_path,
  const char *tmp;
  char *end;

-  if (!mysqld_path && !(mysqld_path= strdup_root(&alloc, default_path)))
-    goto err;
+  if (!mysqld_path)
+  {
+    // Need one extra byte, as convert_dirname() adds a slash at the end.
+    if (!(mysqld_path= alloc_root(&alloc, strlen(default_path) + 2)))
+      goto err;
+    strcpy((char *)mysqld_path, default_path);
+  }

  // it's safe to cast this to char* since this is a buffer we are allocating
  end= convert_dirname((char*)mysqld_path, mysqld_path, NullS);