From cd9d89a75d4cd5e9408cd34e6229910acf23cdc1 Mon Sep 17 00:00:00 2001
From: unknown <tnurnberg@sin.intern.azundris.com>
Date: Thu, 18 Oct 2007 10:47:54 +0200
Subject: [PATCH] Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate
trailing '\0'. An overflow by one character was therefore possible.
CS corrects limits to prevent such overflows.


mysql-test/r/variables.result:
  Try to overflow buffer used for setting system variables.
  Unpatched server should throw a valgrind warning here.
  Actual value and error message irrelevant, only length counts.
mysql-test/t/variables.test:
  Try to overflow buffer used for setting system variables.
sql/set_var.cc:
  Adjust maximum number of characters we can store in 'buff' by one
  as strmake() will write a terminating '\0'.
---
 mysql-test/r/variables.result | 3 +++
 mysql-test/t/variables.test   | 9 ++++++++-
 sql/set_var.cc                | 2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/variables.result b/mysql-test/r/variables.result
index 14f1eb7d306..a5b6c308969 100644
--- a/mysql-test/r/variables.result
+++ b/mysql-test/r/variables.result
@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 @@query_prealloc_size = @test
 1
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+End of 4.1 tests
diff --git a/mysql-test/t/variables.test b/mysql-test/t/variables.test
index 808dc0973d4..371cd6bc9b1 100644
--- a/mysql-test/t/variables.test
+++ b/mysql-test/t/variables.test
@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size;
 set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 
-# End of 4.1 tests
+#
+# Bug#31588 buffer overrun when setting variables
+#
+# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
+--error 1231
+set global sql_mode=repeat('a',80);
+
+--echo End of 4.1 tests
diff --git a/sql/set_var.cc b/sql/set_var.cc
index 520ee5c9f70..1d18eba30a8 100644
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
 					    &not_used));
     if (error_len)
     {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
       goto err;
     }
   }