diff options
| author | unknown <tnurnberg@mysql.com/white.intern.koehntopp.de> | 2007-11-26 08:20:40 +0100 |
|---|---|---|
| committer | unknown <tnurnberg@mysql.com/white.intern.koehntopp.de> | 2007-11-26 08:20:40 +0100 |
| commit | a905ac34b59731bb69a036306297c50742753329 (patch) | |
| tree | e6e0d5c6e9e90e5a7e95d8325c0eedbee083ff12 /merge | |
| parent | 77d786b5a0cd303d30b9a22a044b916078551e6c (diff) | |
| download | mariadb-git-a905ac34b59731bb69a036306297c50742753329.tar.gz | |
Bug#31752: check strmake() bounds
strmake() calls are easy to get wrong. Add checks in extra
debug mode to identify possible exploits.
Remove some dead code.
Remove some off-by-one errors identified with new checks.
sql/log.cc:
fix off-by-one buffer-length argument to prevent stack smashing
sql/repl_failsafe.cc:
fix off-by-one buffer-length argument to prevent stack smashing
sql/set_var.cc:
fix off-by-one buffer-length argument to prevent stack smashing
(already approved, backports #31588)
sql/sql_show.cc:
misdimensioned buffers: functions further down the callstack
expect bufsize of FN_REFLEN
sql/unireg.cc:
When EXTRA_DEBUG is enabled, strmake() will write funny patterns to
buffers it operates on to identify possibly overflows. This leads to
badness in mysql_create_frm(), so we explicitly put any unused bytes
(back) into a defined state. Not a bug-fix, but part of the strmake()
bug detector.
strings/strmake.c:
strmake() takes maximum string length rather than buffer-length
(string length + 1 to accomodate \0 terminator) as argument.
Since this is easy to get wrong, add extra debug code to identify
off-by-ones so we can prevent stack smashing.
Alternative "BAD_STRING_COMPILER" removed after checking
with Monty.
Diffstat (limited to 'merge')
0 files changed, 0 insertions, 0 deletions