- Fix MDEV-15793: Server crash in PlugCloseFile with sql_mode=''

Fixed by replacing sprinf by snprintf in ShowValue to avoid buffer overflow. It nows always use a buffer and returns int. modified: storage/connect/tabdos.cpp modified: storage/connect/tabfmt.cpp modified: storage/connect/value.cpp modified: storage/connect/value.h
2025-08-08 11:22:35 +03:00 · 2019-03-23 17:51:40 +01:00
parent d421df7ea6
commit fc1f3908c1
4 changed files with 78 additions and 84 deletions
--- a/storage/connect/tabdos.cpp
+++ b/storage/connect/tabdos.cpp
@@ -2492,8 +2492,10 @@ bool DOSCOL::SetBuffer(PGLOBAL g, PVAL value, bool ok, bool check)
  } // endif's Value, Buf_Type

  // Allocate the buffer used in WriteColumn for numeric columns
-  if (!Buf && IsTypeNum(Buf_Type))
-    Buf = (char*)PlugSubAlloc(g, NULL, MY_MAX(32, Long + Dcm + 1));
+	if (!Buf && IsTypeNum(Buf_Type))
+		Buf = (char*)PlugSubAlloc(g, NULL, MY_MAX(32, Long + 1));
+	else
+		Buf = (char*)Value->GetTo_Val();

  // Because Colblk's have been made from a copy of the original TDB in
  // case of Update, we must reset them to point to the original one.
@@ -2603,8 +2605,8 @@ void DOSCOL::ReadColumn(PGLOBAL g)
 /***********************************************************************/
 void DOSCOL::WriteColumn(PGLOBAL g)
  {
-  char   *p, *p2, fmt[32];
-  int     i, k, len, field;
+  char   *p, fmt[32];
+  int     i, k, n, len, field;
  PTDBDOS tdbp = (PTDBDOS)To_Tdb;

  if (trace(2))
@@ -2679,8 +2681,8 @@ void DOSCOL::WriteColumn(PGLOBAL g)
        case TYPE_DOUBLE:
        case TYPE_DECIM:
          strcpy(fmt, (Ldz) ? "%0*.*lf" : "%*.*lf");
-          sprintf(Buf, fmt, field + ((Nod && Dcm) ? 1 : 0),
-                  Dcm, Value->GetFloatValue());
+					len = field + ((Nod && Dcm) ? 1 : 0);
+          snprintf(Buf, len, fmt, len, Dcm, Value->GetFloatValue());
          len = strlen(Buf);

          if (Nod && Dcm)
@@ -2699,35 +2701,35 @@ void DOSCOL::WriteColumn(PGLOBAL g)
 					throw 31;
 			} // endswitch BufType

-      p2 = Buf;
+			n = strlen(Buf);
    } else                 // Standard CONNECT format
-      p2 = Value->ShowValue(Buf, field);
+      n = Value->ShowValue(Buf, field);

    if (trace(1))
-      htrc("new length(%p)=%d\n", p2, strlen(p2));
+      htrc("new length(%p)=%d\n", Buf, n);

-    if ((len = strlen(p2)) > field) {
-      sprintf(g->Message, MSG(VALUE_TOO_LONG), p2, Name, field);
+    if ((len = n) > field) {
+      sprintf(g->Message, MSG(VALUE_TOO_LONG), Buf, Name, field);
 			throw 31;
 		} else if (Dsp)
      for (i = 0; i < len; i++)
-        if (p2[i] == '.')
-          p2[i] = Dsp; 
+        if (Buf[i] == '.')
+          Buf[i] = Dsp; 

    if (trace(2))
-      htrc("buffer=%s\n", p2);
+      htrc("buffer=%s\n", Buf);

    /*******************************************************************/
    /*  Updating must be done only when not in checking pass.          */
    /*******************************************************************/
    if (Status) {
      memset(p, ' ', field);
-      memcpy(p, p2, len);
+      memcpy(p, Buf, len);

      if (trace(2))
        htrc(" col write: '%.*s'\n", len, p);

-      } // endif Use
+    } // endif Status

  } else    // BIN compressed table
    /*******************************************************************/
@@ -2738,7 +2740,7 @@ void DOSCOL::WriteColumn(PGLOBAL g)
      sprintf(g->Message, MSG(BIN_F_TOO_LONG),
                          Name, Value->GetSize(), Long);
      throw 31;
-      } // endif
+    } // endif

  } // end of WriteColumn