diff options
| author | Marko Mäkelä <marko.makela@mariadb.com> | 2020-09-03 09:05:56 +0300 |
|---|---|---|
| committer | Marko Mäkelä <marko.makela@mariadb.com> | 2020-09-03 09:05:56 +0300 |
| commit | 94a520ddbe39ae97de1135d98699cf2674e6b77e (patch) | |
| tree | 051dc62fd84edc150754dd826830d467b45074d8 | |
| parent | a256070e7d94fdd1d63a4823c638ff5c76ca9c73 (diff) | |
| download | mariadb-git-94a520ddbe39ae97de1135d98699cf2674e6b77e.tar.gz | |
MDEV-22387: Do not pass null pointer to some memcpy()
Passing a null pointer to a nonnull argument is not only undefined
behaviour, but it also grants the compiler the permission to optimize
away further checks whether the pointer is null. GCC -O2 at least
starting with version 8 may do that, potentially causing SIGSEGV.
These problems were caught in a WITH_UBSAN=ON build with the
Bug#7024 test in main.view.
| -rw-r--r-- | mysys/mf_iocache.c | 8 | ||||
| -rw-r--r-- | mysys/my_alloc.c | 4 | ||||
| -rw-r--r-- | sql/debug_sync.cc | 4 | ||||
| -rw-r--r-- | sql/net_serv.cc | 5 | ||||
| -rw-r--r-- | sql/sql_string.h | 5 |
5 files changed, 17 insertions, 9 deletions
diff --git a/mysys/mf_iocache.c b/mysys/mf_iocache.c index 1245a622262..11f7bbd81b4 100644 --- a/mysys/mf_iocache.c +++ b/mysys/mf_iocache.c @@ -1,6 +1,6 @@ /* Copyright (c) 2000, 2011, Oracle and/or its affiliates - Copyright (c) 2010, 2015, MariaDB + Copyright (c) 2010, 2020, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -703,7 +703,8 @@ int _my_b_cache_read(IO_CACHE *info, uchar *Buffer, size_t Count) info->read_pos=info->buffer+Count; info->read_end=info->buffer+length; info->pos_in_file=pos_in_file; - memcpy(Buffer, info->buffer, Count); + if (Count) + memcpy(Buffer, info->buffer, Count); DBUG_RETURN(0); } @@ -1206,7 +1207,8 @@ static int _my_b_cache_read_r(IO_CACHE *cache, uchar *Buffer, size_t Count) DBUG_RETURN(1); } cnt= (len > Count) ? Count : len; - memcpy(Buffer, cache->read_pos, cnt); + if (cnt) + memcpy(Buffer, cache->read_pos, cnt); Count -= cnt; Buffer+= cnt; left_length+= cnt; diff --git a/mysys/my_alloc.c b/mysys/my_alloc.c index 3b614cb4c15..5bfcb455b8a 100644 --- a/mysys/my_alloc.c +++ b/mysys/my_alloc.c @@ -1,5 +1,6 @@ /* Copyright (c) 2000, 2010, Oracle and/or its affiliates + Copyright (c) 2010, 2020, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -449,7 +450,8 @@ char *strmake_root(MEM_ROOT *root, const char *str, size_t len) char *pos; if ((pos=alloc_root(root,len+1))) { - memcpy(pos,str,len); + if (len) + memcpy(pos,str,len); pos[len]=0; } return pos; diff --git a/sql/debug_sync.cc b/sql/debug_sync.cc index 591ce5800a8..79f3a241907 100644 --- a/sql/debug_sync.cc +++ b/sql/debug_sync.cc @@ -1,4 +1,5 @@ /* Copyright (c) 2009, 2013, Oracle and/or its affiliates. + Copyright (c) 2013, 2020, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -319,7 +320,8 @@ static char *debug_sync_bmove_len(char *to, char *to_end, DBUG_ASSERT(to_end); DBUG_ASSERT(!length || from); set_if_smaller(length, (size_t) (to_end - to)); - memcpy(to, from, length); + if (length) + memcpy(to, from, length); return (to + length); } diff --git a/sql/net_serv.cc b/sql/net_serv.cc index ea5e4353c83..22eee6297c9 100644 --- a/sql/net_serv.cc +++ b/sql/net_serv.cc @@ -1,5 +1,5 @@ /* Copyright (c) 2000, 2016, Oracle and/or its affiliates. - Copyright (c) 2012, 2017, MariaDB Corporation + Copyright (c) 2012, 2020, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -577,7 +577,8 @@ net_write_buff(NET *net, const uchar *packet, ulong len) return net_real_write(net, packet, len) ? 1 : 0; /* Send out rest of the blocks as full sized blocks */ } - memcpy((char*) net->write_pos,packet,len); + if (len) + memcpy((char*) net->write_pos,packet,len); net->write_pos+= len; return 0; } diff --git a/sql/sql_string.h b/sql/sql_string.h index 6fd3d7a10db..fe756fe1cdf 100644 --- a/sql/sql_string.h +++ b/sql/sql_string.h @@ -3,7 +3,7 @@ /* Copyright (c) 2000, 2013, Oracle and/or its affiliates. - Copyright (c) 2008, 2013, Monty Program Ab. + Copyright (c) 2008, 2020, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -512,7 +512,8 @@ public: } void q_append(const char *data, uint32 data_len) { - memcpy(Ptr + str_length, data, data_len); + if (data_len) + memcpy(Ptr + str_length, data, data_len); str_length += data_len; } |