database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug#48983: Bad strmake calls (length one too long)

Browse Source 
The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
This commit is contained in:
Davi Arnaut
2009-12-17 15:58:38 -02:00
parent 0f73979084
commit b9380f0e76
12 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
client/mysqldump.c
View File

@ -782,7 +782,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
&err_ptr, &err_len);
if (err_len)
{
strmake(buff, err_ptr, min(sizeof(buff), err_len));
strmake(buff, err_ptr, min(sizeof(buff) - 1, err_len));
fprintf(stderr, "Invalid mode to --compatible: %s\n", buff);
exit(1);
}
@ -3452,7 +3452,7 @@ static ulong find_set(TYPELIB *lib, const char *x, uint length,
for (; pos != end && *pos != ','; pos++) ;
var_len= (uint) (pos - start);
strmake(buff, start, min(sizeof(buff), var_len));
strmake(buff, start, min(sizeof(buff) - 1, var_len));
find= find_type(buff, lib, var_len);
if (!find)
{