database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#33841: mysql client crashes when returning results for long-\

Browse Source 
running queries

Bug#33976: buffer overflow of variable time_buff in function com_go()

An internal buffer was too short.  Overextending could smash the 
stack on some architectures and cause SEGVs.  This is not a problem
that could be exploited to run arbitrary code.

To fix, I expanded one buffer to cover all the size that could be
written to (we know the abolute max).
This commit is contained in:
cmiller@zippy.cornsilk.net
2008-01-25 10:53:21 -05:00
parent 289d3e824d
commit b040a97c2a
1 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
client/mysql.cc
View File

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2003 MySQL AB /* Copyright (C) 2000-2008 MySQL AB
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -729,7 +729,7 @@ static void usage(int version)
if (version) if (version)
return; return;
printf("\ printf("\
Copyright (C) 2002 MySQL AB\n\ Copyright (C) 2000-2008 MySQL AB\n\
This software comes with ABSOLUTELY NO WARRANTY. This is free software,\n\ This software comes with ABSOLUTELY NO WARRANTY. This is free software,\n\
and you are welcome to modify and redistribute it under the GPL license\n"); and you are welcome to modify and redistribute it under the GPL license\n");
printf("Usage: %s [OPTIONS] [database]\n", my_progname); printf("Usage: %s [OPTIONS] [database]\n", my_progname);
@ -1910,7 +1910,8 @@ com_charset(String *buffer __attribute__((unused)), char *line)
static int static int
com_go(String *buffer,char *line __attribute__((unused))) com_go(String *buffer,char *line __attribute__((unused)))
{ {
char buff[200], time_buff[32], *pos; char buff[200]; /* about 110 chars used so far */
char time_buff[52+3+1]; /* time max + space&parens + NUL */
MYSQL_RES *result; MYSQL_RES *result;
ulong timer, warnings; ulong timer, warnings;
uint error= 0; uint error= 0;
@ -1973,6 +1974,8 @@ com_go(String *buffer,char *line __attribute__((unused)))
do do
{ {
char *pos;
if (quick) if (quick)
{ {
if (!(result=mysql_use_result(&mysql)) && mysql_field_count(&mysql)) if (!(result=mysql_use_result(&mysql)) && mysql_field_count(&mysql))
@ -1988,7 +1991,9 @@ com_go(String *buffer,char *line __attribute__((unused)))
if (verbose >= 3 || !opt_silent) if (verbose >= 3 || !opt_silent)
mysql_end_timer(timer,time_buff); mysql_end_timer(timer,time_buff);
else else
time_buff[0]=0; time_buff[0]= '\0';
/* Every branch must truncate buff . */
if (result) if (result)
{ {
if (!mysql_num_rows(result) && ! quick) if (!mysql_num_rows(result) && ! quick)
@ -2045,6 +2050,7 @@ com_go(String *buffer,char *line __attribute__((unused)))
fflush(stdout); fflush(stdout);
mysql_free_result(result); mysql_free_result(result);
} while (!(err= mysql_next_result(&mysql))); } while (!(err= mysql_next_result(&mysql)));
if (err >= 1) if (err >= 1)
error= put_error(&mysql); error= put_error(&mysql);
@ -3275,6 +3281,11 @@ static ulong start_timer(void)
} }
/**
Write as many as 52+1 bytes to buff, in the form of a legible duration of time.
len("4294967296 days, 23 hours, 59 minutes, 60.00 seconds") -> 52
*/
static void nice_time(double sec,char *buff,bool part_second) static void nice_time(double sec,char *buff,bool part_second)
{ {
ulong tmp; ulong tmp;