Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause

User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to check length of user/host name in parser and if string is too long, throw an error.
2025-08-31 22:22:30 +03:00 · 2006-08-23 21:31:00 +04:00
parent 28ac53688f
commit 9af756efd3
14 changed files with 239 additions and 51 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -7533,16 +7533,34 @@ LEX_USER *create_definer(THD *thd, LEX_STRING *user_name, LEX_STRING *host_name)

 LEX_USER *get_current_user(THD *thd, LEX_USER *user)
 {
-  LEX_USER *curr_user;
  if (!user->user.str)  // current_user
-  {
-    if (!(curr_user= (LEX_USER*) thd->alloc(sizeof(LEX_USER))))
-    {
-      my_error(ER_OUTOFMEMORY, MYF(0), sizeof(LEX_USER));
-      return 0;
-    }
-    get_default_definer(thd, curr_user);
-    return curr_user;
-  }
+    return create_default_definer(thd);
+
  return user;
 }
+
+
+/*
+  Check that length of a string does not exceed some limit.
+
+  SYNOPSIS
+    check_string_length()
+      str         string to be checked
+      err_msg     error message to be displayed if the string is too long
+      max_length  max length
+
+  RETURN
+    FALSE   the passed string is not longer than max_length
+    TRUE    the passed string is longer than max_length
+*/
+
+bool check_string_length(LEX_STRING *str, const char *err_msg,
+                         uint max_length)
+{
+  if (str->length <= max_length)
+    return FALSE;
+
+  my_error(ER_WRONG_STRING_LENGTH, MYF(0), str->str, err_msg, max_length);
+
+  return TRUE;
+}