database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#21977380 - POSSIBLE BUFFER OVERFLOW ISSUES

Browse Source 
DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.

ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.

FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
  NULL already and setting it to NULL thereafter at few
  places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes

(cherry picked from commit 3487e20959c940cbd24429afa795ebfc8a01e94f)
This commit is contained in:
Shishir Jaiswal
2016-05-16 13:46:49 +05:30
committed by Prashant Tekriwal
parent 6768f80c0b
commit 9d72fb4af0
5 changed files with 78 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
client/mysqlshow.c
View File

@ -52,9 +52,9 @@ static int list_tables(MYSQL *mysql,const char *db,const char *table);
static int list_table_status(MYSQL *mysql,const char *db,const char *table);
static int list_fields(MYSQL *mysql,const char *db,const char *table,
const char *field);
static void print_header(const char *header,uint head_length,...);
static void print_row(const char *header,uint head_length,...);
static void print_trailer(uint length,...);
static void print_header(const char *header,size_t head_length,...);
static void print_row(const char *header,size_t head_length,...);
static void print_trailer(size_t length,...);
static void print_res_header(MYSQL_RES *result);
static void print_res_top(MYSQL_RES *result);
static void print_res_row(MYSQL_RES *result,MYSQL_ROW cur);
@ -374,7 +374,8 @@ static int
list_dbs(MYSQL *mysql,const char *wild)
{
const char *header;
uint length, counter = 0;
size_t length = 0;
uint counter = 0;
ulong rowcount = 0L;
char tables[NAME_LEN+1], rows[NAME_LEN+1];
char query[NAME_LEN + 100];
@ -412,7 +413,7 @@ list_dbs(MYSQL *mysql,const char *wild)
printf("Wildcard: %s\n",wild);
header="Databases";
length=(uint) strlen(header);
length= strlen(header);
field=mysql_fetch_field(result);
if (length < field->max_length)
length=field->max_length;
@ -500,7 +501,8 @@ static int
list_tables(MYSQL *mysql,const char *db,const char *table)
{
const char *header;
uint head_length, counter = 0;
size_t head_length;
uint counter = 0;
char query[NAME_LEN + 100], rows[NAME_LEN], fields[16];
MYSQL_FIELD *field;
MYSQL_RES *result;
@ -537,7 +539,7 @@ list_tables(MYSQL *mysql,const char *db,const char *table)
putchar('\n');
header="Tables";
head_length=(uint) strlen(header);
head_length= strlen(header);
field=mysql_fetch_field(result);
if (head_length < field->max_length)
head_length=field->max_length;
@ -766,10 +768,10 @@ list_fields(MYSQL *mysql,const char *db,const char *table,
*****************************************************************************/
static void
print_header(const char *header,uint head_length,...)
print_header(const char *header,size_t head_length,...)
{
va_list args;
uint length,i,str_length,pre_space;
size_t length,i,str_length,pre_space;
const char *field;
va_start(args,head_length);
@ -792,10 +794,10 @@ print_header(const char *header,uint head_length,...)
putchar('|');
for (;;)
{
str_length=(uint) strlen(field);
str_length= strlen(field);
if (str_length > length)
str_length=length+1;
pre_space=(uint) (((int) length-(int) str_length)/2)+1;
pre_space= ((length- str_length)/2)+1;
for (i=0 ; i < pre_space ; i++)
putchar(' ');
for (i = 0 ; i < str_length ; i++)
@ -829,11 +831,11 @@ print_header(const char *header,uint head_length,...)
static void
print_row(const char *header,uint head_length,...)
print_row(const char *header,size_t head_length,...)
{
va_list args;
const char *field;
uint i,length,field_length;
size_t i,length,field_length;
va_start(args,head_length);
field=header; length=head_length;
@ -842,7 +844,7 @@ print_row(const char *header,uint head_length,...)
putchar('|');
putchar(' ');
fputs(field,stdout);
field_length=(uint) strlen(field);
field_length= strlen(field);
for (i=field_length ; i <= length ; i++)
putchar(' ');
if (!(field=va_arg(args,char *)))
@ -856,10 +858,10 @@ print_row(const char *header,uint head_length,...)
static void
print_trailer(uint head_length,...)
print_trailer(size_t head_length,...)
{
va_list args;
uint length,i;
size_t length,i;
va_start(args,head_length);
length=head_length;
@ -902,7 +904,7 @@ static void print_res_top(MYSQL_RES *result)
mysql_field_seek(result,0);
while((field = mysql_fetch_field(result)))
{
if ((length=(uint) strlen(field->name)) > field->max_length)
if ((length= strlen(field->name)) > field->max_length)
field->max_length=length;
else
length=field->max_length;