BUG#20622: Fix one-byte buffer overrun in IM directory string handling.

The problem was a call to convert_dirname() with a destination buffer
that did not have room for the trailing slash added by that function.
This could cause the instance manager to crash in some cases.


mysys/mf_dirname.c:
  Clarify in comments that convert_dirname destination must be larger than
  source to accomodate a trailing slash.
server-tools/instance-manager/instance_options.cc:
  Fix buffer overrun.

1 files changed, 7 insertions, 2 deletions

diff --git a/server-tools/instance-manager/instance_options.cc b/server-tools/instance-manager/instance_options.cc
index 9389694822a..72621ed1662 100644
--- a/server-tools/instance-manager/instance_options.cc
+++ b/server-tools/instance-manager/instance_options.cc
@@ -391,8 +391,13 @@ int Instance_options::complete_initialization(const char *default_path,
   const char *tmp;
   char *end;
 
-  if (!mysqld_path && !(mysqld_path= strdup_root(&alloc, default_path)))
-    goto err;
+  if (!mysqld_path)
+  {
+    // Need one extra byte, as convert_dirname() adds a slash at the end.
+    if (!(mysqld_path= alloc_root(&alloc, strlen(default_path) + 2)))
+      goto err;
+    strcpy((char *)mysqld_path, default_path);
+  }
 
   // it's safe to cast this to char* since this is a buffer we are allocating
   end= convert_dirname((char*)mysqld_path, mysqld_path, NullS);