database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-12-24 11:21:21 +03:00
Code Activity

Bug#48983: Bad strmake calls (length one too long)

Browse Source 
The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
This commit is contained in:
Davi Arnaut
2009-12-17 15:58:38 -02:00
parent 0f73979084
commit b9380f0e76
12 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
mysys/mf_pack.c
View File

@@ -234,7 +234,7 @@ my_bool my_use_symdir=0; /* Set this if you want to use symdirs */
#ifdef USE_SYMDIR
void symdirget(char *dir)
{
char buff[FN_REFLEN];
char buff[FN_REFLEN+1];
char *pos=strend(dir);
if (dir[0] && pos[-1] != FN_DEVCHAR && my_access(dir, F_OK))
{
@@ -246,7 +246,7 @@ void symdirget(char *dir)
*pos++=temp; *pos=0; /* Restore old filename */
if (file >= 0)
{
if ((length= my_read(file, buff, sizeof(buff), MYF(0))) > 0)
if ((length= my_read(file, buff, sizeof(buff) - 1, MYF(0))) > 0)
{
for (pos= buff + length ;
pos > buff && (iscntrl(pos[-1]) || isspace(pos[-1])) ;