database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-08 11:22:35 +03:00
Code Activity

- Fix MDEV-15793: Server crash in PlugCloseFile with sql_mode=''

Browse Source 
Fixed by replacing sprinf by snprintf in ShowValue to avoid
  buffer overflow. It nows always use a buffer and returns int.
  modified:   storage/connect/tabdos.cpp
  modified:   storage/connect/tabfmt.cpp
  modified:   storage/connect/value.cpp
  modified:   storage/connect/value.h
This commit is contained in:
Olivier Bertrand
2019-03-23 17:51:40 +01:00
parent d421df7ea6
commit fc1f3908c1
4 changed files with 78 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
storage/connect/tabfmt.cpp
View File

@@ -1485,8 +1485,8 @@ void CSVCOL::ReadColumn(PGLOBAL g)
/***********************************************************************/
void CSVCOL::WriteColumn(PGLOBAL g)
{
char *p, buf[64];
int flen;
char *p;
int n, flen;
PTDBCSV tdbp = (PTDBCSV)To_Tdb;
if (trace(2))
@@ -1508,13 +1508,14 @@ void CSVCOL::WriteColumn(PGLOBAL g)
/*********************************************************************/
/* Get the string representation of the column value. */
/*********************************************************************/
p = Value->ShowValue(buf);
p = Value->GetCharString(Buf);
n = strlen(p);
if (trace(2))
htrc("new length(%p)=%d\n", p, strlen(p));
htrc("new length(%p)=%d\n", p, n);
if ((signed)strlen(p) > flen) {
sprintf(g->Message, MSG(BAD_FLD_LENGTH), Name, p, flen,
if (n > flen) {
sprintf(g->Message, MSG(BAD_FLD_LENGTH), Name, p, n,
tdbp->RowNumber(g), tdbp->GetFile(g));
throw 34;
} else if (Dsp)