database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-06-13 13:01:51 +03:00
Code Activity

Bug#48983: Bad strmake calls (length one too long)

Browse Source 
The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
This commit is contained in:
Davi Arnaut
2009-12-17 15:58:38 -02:00
parent 0f73979084
commit b9380f0e76
12 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libmysql/libmysql.c
View File

@ -712,7 +712,10 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
if (!passwd)
passwd="";
/* Store user into the buffer */
/*
Store user into the buffer.
Advance position as strmake returns a pointer to the closing NUL.
*/
end= strmake(end, user, USERNAME_LENGTH) + 1;
/* write scrambled password according to server capabilities */
@ -1252,7 +1255,7 @@ mysql_list_fields(MYSQL *mysql, const char *table, const char *wild)
{
MYSQL_RES *result;
MYSQL_FIELD *fields;
char buff[257],*end;
char buff[258],*end;
DBUG_ENTER("mysql_list_fields");
DBUG_PRINT("enter",("table: '%s' wild: '%s'",table,wild ? wild : ""));