diff options
| author | unknown <tnurnberg@mysql.com/white.intern.koehntopp.de> | 2007-11-26 09:13:23 +0100 |
|---|---|---|
| committer | unknown <tnurnberg@mysql.com/white.intern.koehntopp.de> | 2007-11-26 09:13:23 +0100 |
| commit | 1c72446ef69cf6c50cf9b2dae69b2b24a7576103 (patch) | |
| tree | af61eb4308a4957b098cc00e4e557672f7f68cfa | |
| parent | fe280afa26ba21f6c1ba3edc83e930eff96704d0 (diff) | |
| download | mariadb-git-1c72446ef69cf6c50cf9b2dae69b2b24a7576103.tar.gz | |
Bug#31752: check strmake() bounds
strmake() called with wrong parameters:
5.0-specific fixes.
client/mysql.cc:
In debug-mode, strmake() fills unused part of buffer with
a test-pattern. This overwrites our previous extra '\0'
(from previous bzero()).
sql/sp.cc:
off-by-one buffer-size.
| -rw-r--r-- | client/mysql.cc | 5 | ||||
| -rw-r--r-- | sql/sp.cc | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/client/mysql.cc b/client/mysql.cc index 8e1b6c2a9b4..ff2c1d228cd 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -2987,7 +2987,10 @@ com_connect(String *buffer, char *line) Two null bytes are needed in the end of buff to allow get_arg to find end of string the second time it's called. */ - strmake(buff, line, sizeof(buff)-2); + tmp= strmake(buff, line, sizeof(buff)-2); +#ifdef EXTRA_DEBUG + tmp[1]= 0; +#endif tmp= get_arg(buff, 0); if (tmp && *tmp) { diff --git a/sql/sp.cc b/sql/sp.cc index 75d6fa4618f..bae5933aec1 100644 --- a/sql/sp.cc +++ b/sql/sp.cc @@ -1902,7 +1902,7 @@ sp_use_new_db(THD *thd, LEX_STRING new_db, LEX_STRING *old_db, if (thd->db) { - old_db->length= (strmake(old_db->str, thd->db, old_db->length) - + old_db->length= (strmake(old_db->str, thd->db, old_db->length - 1) - old_db->str); } else |