Bug#48983: Bad strmake calls (length one too long)

The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.

1 files changed, 5 insertions, 2 deletions

diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c
index d287679bebb..62feae1b56e 100644
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -712,7 +712,10 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
   if (!passwd)
     passwd="";
 
-  /* Store user into the buffer */
+  /*
+    Store user into the buffer.
+    Advance position as strmake returns a pointer to the closing NUL.
+  */
   end= strmake(end, user, USERNAME_LENGTH) + 1;
 
   /* write scrambled password according to server capabilities */
@@ -1252,7 +1255,7 @@ mysql_list_fields(MYSQL *mysql, const char *table, const char *wild)
 {
   MYSQL_RES   *result;
   MYSQL_FIELD *fields;
-  char	     buff[257],*end;
+  char	     buff[258],*end;
   DBUG_ENTER("mysql_list_fields");
   DBUG_PRINT("enter",("table: '%s'  wild: '%s'",table,wild ? wild : ""));