Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate trailing '\0'. An overflow by one character was therefore possible. CS corrects limits to prevent such overflows. mysql-test/r/variables.result: Try to overflow buffer used for setting system variables. Unpatched server should throw a valgrind warning here. Actual value and error message irrelevant, only length counts. mysql-test/t/variables.test: Try to overflow buffer used for setting system variables. sql/set_var.cc: Adjust maximum number of characters we can store in 'buff' by one as strmake() will write a terminating '\0'.
2025-07-29 05:21:33 +03:00 · 2007-10-18 10:47:54 +02:00
parent 77d786b5a0
commit cd9d89a75d
3 changed files with 12 additions and 2 deletions
--- a/mysql-test/r/variables.result
+++ b/mysql-test/r/variables.result
@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
@@query_prealloc_size = @test
 1
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+End of 4.1 tests