database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-08 11:22:35 +03:00
Code Activity

- Fix MDEV-13782

Browse Source 
Problem with NOT LIKE queries.
  modified:   storage/connect/ha_connect.cc
  modified:   sql/item_cmpfunc.h

- Fix MDEV-21084
  Misusage of strncat could cause buffer overflow.
  modified:   storage/connect/reldef.cpp
  modified:   storage/connect/tabcmg.cpp
  modified:   storage/connect/tabjson.cpp
  modified:   storage/connect/tabrest.cpp
  modified:   storage/connect/tabxml.cpp
This commit is contained in:
Olivier Bertrand
2019-11-26 19:22:46 +01:00
parent fb91774e4e
commit f0da39be7f
7 changed files with 52 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sql/item_cmpfunc.h
View File

@@ -1899,7 +1899,6 @@ class Item_func_like :public Item_bool_func2
bool escape_used_in_parsing; bool escape_used_in_parsing;
bool use_sampling; bool use_sampling;
bool negated;
DTCollation cmp_collation; DTCollation cmp_collation;
String cmp_value1, cmp_value2; String cmp_value1, cmp_value2;
@@ -1916,6 +1915,7 @@ protected:
Item_func::Functype type, Item *value); Item_func::Functype type, Item *value);
public: public:
int escape; int escape;
bool negated;
Item_func_like(THD *thd, Item *a, Item *b, Item *escape_arg, bool escape_used): Item_func_like(THD *thd, Item *a, Item *b, Item *escape_arg, bool escape_used):
Item_bool_func2(thd, a, b), canDoTurboBM(FALSE), pattern(0), pattern_len(0), Item_bool_func2(thd, a, b), canDoTurboBM(FALSE), pattern(0), pattern_len(0),

8
storage/connect/ha_connect.cc
View File

@@ -2966,10 +2966,10 @@ PCFIL ha_connect::CheckCond(PGLOBAL g, PCFIL filp, const Item *cond)
case Item_func::LE_FUNC: vop= OP_LE; break; case Item_func::LE_FUNC: vop= OP_LE; break;
case Item_func::GE_FUNC: vop= OP_GE; break; case Item_func::GE_FUNC: vop= OP_GE; break;
case Item_func::GT_FUNC: vop= OP_GT; break; case Item_func::GT_FUNC: vop= OP_GT; break;
//case Item_func::LIKE_FUNC: case Item_func::LIKE_FUNC:
// vop = OP_LIKE; vop = OP_LIKE;
// neg= ((Item_func_like*)condf)->negated; neg= ((Item_func_like*)condf)->negated;
// break; break;
case Item_func::ISNOTNULL_FUNC: case Item_func::ISNOTNULL_FUNC:
neg= true; neg= true;
// fall through // fall through

3
storage/connect/reldef.cpp
View File

@@ -624,7 +624,8 @@ PTABDEF OEMDEF::GetXdef(PGLOBAL g)
return NULL; return NULL;
} else } else
// PlugSetPath(soname, Module, GetPluginDir()); // Crashes on Fedora // PlugSetPath(soname, Module, GetPluginDir()); // Crashes on Fedora
strncat(strcpy(soname, GetPluginDir()), Module, _MAX_PATH); strncat(strcpy(soname, GetPluginDir()), Module,
sizeof(soname) - strlen(soname) - 1);
#if defined(__WIN__) #if defined(__WIN__)
// Is the DLL already loaded? // Is the DLL already loaded?

23
storage/connect/tabcmg.cpp
View File

@@ -53,25 +53,30 @@ bool CMGDISC::FindInDoc(PGLOBAL g, bson_iter_t *iter, const bson_t *doc,
{ {
if (!doc || bson_iter_init(iter, doc)) { if (!doc || bson_iter_init(iter, doc)) {
const char *key; const char *key;
char colname[65]; char colname[65];
char fmt[129]; char fmt[129];
bool newcol; bool newcol;
size_t n;
while (bson_iter_next(iter)) { while (bson_iter_next(iter)) {
key = bson_iter_key(iter); key = bson_iter_key(iter);
newcol = true; newcol = true;
if (pcn) { if (pcn) {
strncpy(colname, pcn, 64); n = sizeof(colname) - 1;
colname[64] = 0; strncpy(colname, pcn, n);
strncat(strncat(colname, "_", 65), key, 65); colname[n] = 0;
n -= strlen(colname);
strncat(strncat(colname, "_", n), key, n - 1);
} else } else
strcpy(colname, key); strcpy(colname, key);
if (pfmt) { if (pfmt) {
strncpy(fmt, pfmt, 128); n = sizeof(fmt) - 1;
fmt[128] = 0; strncpy(fmt, pfmt, n);
strncat(strncat(fmt, ".", 129), key, 129); fmt[n] = 0;
n -= strlen(fmt);
strncat(strncat(fmt, ".", n), key, n - 1);
} else } else
strcpy(fmt, key); strcpy(fmt, key);

40
storage/connect/tabjson.cpp
View File

@@ -394,10 +394,11 @@ err:
bool JSONDISC::Find(PGLOBAL g, PJVAL jvp, PCSZ key, int j) bool JSONDISC::Find(PGLOBAL g, PJVAL jvp, PCSZ key, int j)
{ {
char *p, *pc = colname + strlen(colname); char *p, *pc = colname + strlen(colname);
int ars; int ars;
PJOB job; size_t n;
PJAR jar; PJOB job;
PJAR jar;
if ((valp = jvp ? jvp->GetValue() : NULL)) { if ((valp = jvp ? jvp->GetValue() : NULL)) {
jcol.Type = valp->GetType(); jcol.Type = valp->GetType();
@@ -423,8 +424,10 @@ bool JSONDISC::Find(PGLOBAL g, PJVAL jvp, PCSZ key, int j)
PCSZ k = jrp->GetKey(); PCSZ k = jrp->GetKey();
if (*k != '$') { if (*k != '$') {
strncat(strncat(fmt, sep, 128), k, 128); n = sizeof(fmt) - strlen(fmt) -1;
strncat(strncat(colname, "_", 64), k, 64); strncat(strncat(fmt, sep, n), k, n - strlen(sep));
n = sizeof(colname) - strlen(colname) - 1;
strncat(strncat(colname, "_", n), k, n - 1);
} // endif Key } // endif Key
if (Find(g, jrp->GetVal(), k, j + 1)) if (Find(g, jrp->GetVal(), k, j + 1))
@@ -443,19 +446,26 @@ bool JSONDISC::Find(PGLOBAL g, PJVAL jvp, PCSZ key, int j)
ars = MY_MIN(jar->GetSize(false), 1); ars = MY_MIN(jar->GetSize(false), 1);
for (int k = 0; k < ars; k++) { for (int k = 0; k < ars; k++) {
if (!tdp->Xcol || stricmp(tdp->Xcol, key)) { n = sizeof(fmt) - (strlen(fmt) + 1);
if (!tdp->Xcol || stricmp(tdp->Xcol, key)) {
sprintf(buf, "%d", k); sprintf(buf, "%d", k);
if (tdp->Uri) if (tdp->Uri) {
strncat(strncat(fmt, sep, 128), buf, 128); strncat(strncat(fmt, sep, n), buf, n - strlen(sep));
else } else {
strncat(strncat(strncat(fmt, "[", 128), buf, 128), "]", 128); strncat(strncat(fmt, "[", n), buf, n - 1);
strncat(fmt, "]", n - (strlen(buf) + 1));
} // endif uri
if (all) if (all) {
strncat(strncat(colname, "_", 64), buf, 64); n = sizeof(colname) - (strlen(colname) + 1);
strncat(strncat(colname, "_", n), buf, n - 1);
} // endif all
} else } else {
strncat(fmt, (tdp->Uri ? sep : "[*]"), 128); strncat(fmt, (tdp->Uri ? sep : "[*]"), n);
}
if (Find(g, jar->GetValue(k), "", j)) if (Find(g, jar->GetValue(k), "", j))
return true; return true;

5
storage/connect/tabrest.cpp
View File

@@ -162,7 +162,7 @@ PQRYRES __stdcall ColREST(PGLOBAL g, PTOS tp, char *tab, char *db, bool info)
// We used the file name relative to recorded datapath // We used the file name relative to recorded datapath
strcat(strcat(strcat(strcpy(filename, "."), slash), db), slash); strcat(strcat(strcat(strcpy(filename, "."), slash), db), slash);
strncat(filename, fn, _MAX_PATH); strncat(filename, fn, _MAX_PATH - strlen(filename));
// Retrieve the file from the web and copy it locally // Retrieve the file from the web and copy it locally
if (http && grf(g->Message, trace(515), http, uri, filename)) { if (http && grf(g->Message, trace(515), http, uri, filename)) {
@@ -221,7 +221,8 @@ bool RESTDEF::DefineAM(PGLOBAL g, LPCSTR am, int poff)
// We used the file name relative to recorded datapath // We used the file name relative to recorded datapath
//PlugSetPath(filename, Fn, GetPath()); //PlugSetPath(filename, Fn, GetPath());
strncat(strcpy(filename, GetPath()), Fn, _MAX_PATH); strcpy(filename, GetPath());
strncat(filename, Fn, _MAX_PATH - strlen(filename));
// Retrieve the file from the web and copy it locally // Retrieve the file from the web and copy it locally
rc = grf(g->Message, xt, Http, Uri, filename); rc = grf(g->Message, xt, Http, Uri, filename);

4
storage/connect/tabxml.cpp
View File

@@ -240,7 +240,9 @@ PQRYRES XMLColumns(PGLOBAL g, char *db, char *tab, PTOS topt, bool info)
more: more:
if (vp->atp) { if (vp->atp) {
strncpy(colname, vp->atp->GetName(g), sizeof(colname)); size_t z = sizeof(colname) - 1;
strncpy(colname, vp->atp->GetName(g), z);
colname[z] = 0;
strncat(xcol->Name, colname, XLEN(xcol->Name)); strncat(xcol->Name, colname, XLEN(xcol->Name));
switch (vp->atp->GetText(g, buf, sizeof(buf))) { switch (vp->atp->GetText(g, buf, sizeof(buf))) {