BUG#16402143 - STACK CORRUPTION IN DBUG_EXPLAIN

DESCRIPTION AND FIX: DBUG_EXPLAIN result in buffer overflow when the DEBUG variable values length exceed 255. In _db_explain_ function which call macro str_to_buf incorrectly passes the length of buf avaliable to strnmov as len+1. The fix calculates the avaliable space in buf and passes it to strnxmov.
author: Thayumanavar <thayumanavar.x.sachithanantha@oracle.com> 2013-04-10 11:50:41 +0530
committer: Thayumanavar <thayumanavar.x.sachithanantha@oracle.com> 2013-04-10 11:50:41 +0530
commit: 348d14c7e20c3efcf52ea54fc2264757c5fa4024 (patch)
tree: 8d23c03e298259c3f20103bb0f342405f94f7904
parent: b350990a11bcf1a5c5f63c63ac0f34136a87342a (diff)
download: mariadb-git-348d14c7e20c3efcf52ea54fc2264757c5fa4024.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/dbug/dbug.c b/dbug/dbug.c
index d55195255d4..0a3e32348b1 100644
--- a/dbug/dbug.c
+++ b/dbug/dbug.c
@@ -919,7 +919,7 @@ void _db_pop_()
       } while (0)
 #define str_to_buf(S)    do {                   \
         char_to_buf(',');                       \
-        buf=strnmov(buf, (S), len+1);           \
+        buf=strnmov(buf, (S), end-buf);         \
         if (buf >= end) goto overflow;          \
       } while (0)
 #define list_to_buf(l, f)  do {                 \
author	Thayumanavar <thayumanavar.x.sachithanantha@oracle.com>	2013-04-10 11:50:41 +0530
committer	Thayumanavar <thayumanavar.x.sachithanantha@oracle.com>	2013-04-10 11:50:41 +0530
commit	348d14c7e20c3efcf52ea54fc2264757c5fa4024 (patch)
tree	8d23c03e298259c3f20103bb0f342405f94f7904
parent	b350990a11bcf1a5c5f63c63ac0f34136a87342a (diff)
download	mariadb-git-348d14c7e20c3efcf52ea54fc2264757c5fa4024.tar.gz