diff options
| author | Shishir Jaiswal <shishir.j.jaiswal@oracle.com> | 2016-05-16 13:46:49 +0530 |
|---|---|---|
| committer | Prashant Tekriwal <prashant.tekriwal@oracle.com> | 2016-05-16 11:33:57 +0200 |
| commit | 9d72fb4af0d87f6a69a3ccb9202b4029acf2bd56 (patch) | |
| tree | f0390f098b09894c5f8a5f42f9931d12f61d2444 /client/mysqlshow.c | |
| parent | 6768f80c0b1f0b82c5addbe47ce712ded14d0d8c (diff) | |
| download | mariadb-git-9d72fb4af0d87f6a69a3ccb9202b4029acf2bd56.tar.gz | |
Bug#21977380 - POSSIBLE BUFFER OVERFLOW ISSUES
DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.
ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.
FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
NULL already and setting it to NULL thereafter at few
places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes
(cherry picked from commit 3487e20959c940cbd24429afa795ebfc8a01e94f)
Diffstat (limited to 'client/mysqlshow.c')
| -rw-r--r-- | client/mysqlshow.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/client/mysqlshow.c b/client/mysqlshow.c index f1f8bdaf54b..d0390ec443b 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -52,9 +52,9 @@ static int list_tables(MYSQL *mysql,const char *db,const char *table); static int list_table_status(MYSQL *mysql,const char *db,const char *table); static int list_fields(MYSQL *mysql,const char *db,const char *table, const char *field); -static void print_header(const char *header,uint head_length,...); -static void print_row(const char *header,uint head_length,...); -static void print_trailer(uint length,...); +static void print_header(const char *header,size_t head_length,...); +static void print_row(const char *header,size_t head_length,...); +static void print_trailer(size_t length,...); static void print_res_header(MYSQL_RES *result); static void print_res_top(MYSQL_RES *result); static void print_res_row(MYSQL_RES *result,MYSQL_ROW cur); @@ -374,7 +374,8 @@ static int list_dbs(MYSQL *mysql,const char *wild) { const char *header; - uint length, counter = 0; + size_t length = 0; + uint counter = 0; ulong rowcount = 0L; char tables[NAME_LEN+1], rows[NAME_LEN+1]; char query[NAME_LEN + 100]; @@ -412,7 +413,7 @@ list_dbs(MYSQL *mysql,const char *wild) printf("Wildcard: %s\n",wild); header="Databases"; - length=(uint) strlen(header); + length= strlen(header); field=mysql_fetch_field(result); if (length < field->max_length) length=field->max_length; @@ -500,7 +501,8 @@ static int list_tables(MYSQL *mysql,const char *db,const char *table) { const char *header; - uint head_length, counter = 0; + size_t head_length; + uint counter = 0; char query[NAME_LEN + 100], rows[NAME_LEN], fields[16]; MYSQL_FIELD *field; MYSQL_RES *result; @@ -537,7 +539,7 @@ list_tables(MYSQL *mysql,const char *db,const char *table) putchar('\n'); header="Tables"; - head_length=(uint) strlen(header); + head_length= strlen(header); field=mysql_fetch_field(result); if (head_length < field->max_length) head_length=field->max_length; @@ -766,10 +768,10 @@ list_fields(MYSQL *mysql,const char *db,const char *table, *****************************************************************************/ static void -print_header(const char *header,uint head_length,...) +print_header(const char *header,size_t head_length,...) { va_list args; - uint length,i,str_length,pre_space; + size_t length,i,str_length,pre_space; const char *field; va_start(args,head_length); @@ -792,10 +794,10 @@ print_header(const char *header,uint head_length,...) putchar('|'); for (;;) { - str_length=(uint) strlen(field); + str_length= strlen(field); if (str_length > length) str_length=length+1; - pre_space=(uint) (((int) length-(int) str_length)/2)+1; + pre_space= ((length- str_length)/2)+1; for (i=0 ; i < pre_space ; i++) putchar(' '); for (i = 0 ; i < str_length ; i++) @@ -829,11 +831,11 @@ print_header(const char *header,uint head_length,...) static void -print_row(const char *header,uint head_length,...) +print_row(const char *header,size_t head_length,...) { va_list args; const char *field; - uint i,length,field_length; + size_t i,length,field_length; va_start(args,head_length); field=header; length=head_length; @@ -842,7 +844,7 @@ print_row(const char *header,uint head_length,...) putchar('|'); putchar(' '); fputs(field,stdout); - field_length=(uint) strlen(field); + field_length= strlen(field); for (i=field_length ; i <= length ; i++) putchar(' '); if (!(field=va_arg(args,char *))) @@ -856,10 +858,10 @@ print_row(const char *header,uint head_length,...) static void -print_trailer(uint head_length,...) +print_trailer(size_t head_length,...) { va_list args; - uint length,i; + size_t length,i; va_start(args,head_length); length=head_length; @@ -902,7 +904,7 @@ static void print_res_top(MYSQL_RES *result) mysql_field_seek(result,0); while((field = mysql_fetch_field(result))) { - if ((length=(uint) strlen(field->name)) > field->max_length) + if ((length= strlen(field->name)) > field->max_length) field->max_length=length; else length=field->max_length; |