Bug #13889741: HANDLE_FATAL_SIGNAL IN _DB_ENTER_ |

HANDLE_FATAL_SIGNAL IN STRNLEN Fixed the following bounds checking problems : 1. in check_if_legal_filename() make sure the null terminated string is long enough before accessing the bytes in it. Prevents pottential read-past-buffer-end 2. in my_wc_mb_filename() of the filename charset check for the end of the destination buffer before sending single byte characters into it. Prevents write-past-end-of-buffer (and garbaling stack in the cases reported here) errors. Added test cases.
author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2012-07-05 13:41:16 +0300
committer: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2012-07-05 13:41:16 +0300
commit: 42644a07469027c6b54351bd906c9cd037d32eb6 (patch)
tree: 091a241c2df3f614399530ce23b358c319d7c65c /mysys
parent: 176d6b1dcae7470441ff1eefd3bfc27c6db137f8 (diff)
download: mariadb-git-42644a07469027c6b54351bd906c9cd037d32eb6.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/mysys/my_access.c b/mysys/my_access.c
index 210946d50a8..43917da7f98 100644
--- a/mysys/my_access.c
+++ b/mysys/my_access.c
@@ -148,7 +148,8 @@ static char reserved_map[256]=
 int check_if_legal_tablename(const char *name)
 {
   DBUG_ENTER("check_if_legal_tablename");
-  DBUG_RETURN((reserved_map[(uchar) name[0]] & 1) &&
+  DBUG_RETURN(name[0] != 0 && name[1] != 0 &&
+              (reserved_map[(uchar) name[0]] & 1) &&
               (reserved_map[(uchar) name[1]] & 2) &&
               (reserved_map[(uchar) name[2]] & 4) &&
               str_list_find(&reserved_names[1], name));
author	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2012-07-05 13:41:16 +0300
committer	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2012-07-05 13:41:16 +0300
commit	42644a07469027c6b54351bd906c9cd037d32eb6 (patch)
tree	091a241c2df3f614399530ce23b358c319d7c65c /mysys
parent	176d6b1dcae7470441ff1eefd3bfc27c6db137f8 (diff)
download	mariadb-git-42644a07469027c6b54351bd906c9cd037d32eb6.tar.gz