diff options
| author | Shishir Jaiswal <shishir.j.jaiswal@oracle.com> | 2016-05-16 13:46:49 +0530 |
|---|---|---|
| committer | Shishir Jaiswal <shishir.j.jaiswal@oracle.com> | 2016-05-16 13:46:49 +0530 |
| commit | cb2974156823977fd2c700c64ff0867183b3f744 (patch) | |
| tree | f5703689109a6628955ca39bd559183ee4269b8d /regex | |
| parent | df7ecf64f5b9c6fb4b7789a414306de89b58bec7 (diff) | |
| download | mariadb-git-cb2974156823977fd2c700c64ff0867183b3f744.tar.gz | |
Bug#21977380 - POSSIBLE BUFFER OVERFLOW ISSUES
DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.
ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.
FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
NULL already and setting it to NULL thereafter at few
places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes
Diffstat (limited to 'regex')
| -rw-r--r-- | regex/split.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/regex/split.c b/regex/split.c index bd2a53c01e3..a3a11f793ed 100644 --- a/regex/split.c +++ b/regex/split.c @@ -163,6 +163,10 @@ char *argv[]; } else if (argc > 3) for (n = atoi(argv[3]); n > 0; n--) { + if(sizeof(buf)-1 < strlen(argv[1])) + { + exit(EXIT_FAILURE); + } (void) strcpy(buf, argv[1]); (void) split(buf, fields, MNF, argv[2]); } |