database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-31 22:22:30 +03:00
Code Activity

Bug#21977380 - POSSIBLE BUFFER OVERFLOW ISSUES

Browse Source 
DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.

ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.

FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
  NULL already and setting it to NULL thereafter at few
  places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes

(cherry picked from commit 3487e20959c940cbd24429afa795ebfc8a01e94f)
This commit is contained in:
Shishir Jaiswal
2016-05-16 13:46:49 +05:30
committed by Prashant Tekriwal
parent 6768f80c0b
commit 9d72fb4af0
5 changed files with 78 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
regex/split.c
View File

@@ -163,6 +163,10 @@ char *argv[];
}
else if (argc > 3)
for (n = atoi(argv[3]); n > 0; n--) {
if(sizeof(buf)-1 < strlen(argv[1]))
{
exit(EXIT_FAILURE);
}
(void) strcpy(buf, argv[1]);
(void) split(buf, fields, MNF, argv[2]);
}