diff options
| author | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-05-27 14:20:57 +0400 |
|---|---|---|
| committer | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-05-27 14:20:57 +0400 |
| commit | 2df531fdc44a1bf410a79624932533ecb44f84ce (patch) | |
| tree | 34ae98822606272f3479c61c527ed8c15c1d1702 /sql/item_strfunc.cc | |
| parent | edc19ca2520bad0e4cff40a9dac2d064882cfa2b (diff) | |
| download | mariadb-git-2df531fdc44a1bf410a79624932533ecb44f84ce.tar.gz | |
Bug #44767: invalid memory reads in password() and
old_password() functions
The PASSWORD() and OLD_PASSWORD() functions could lead to
memory reads outside of an internal buffer when used with BLOB
arguments.
String::c_ptr() assumes there is at least one extra byte
in the internally allocated buffer when adding the trailing
'\0'. This, however, may not be the case when a String object
was initialized with externally allocated buffer.
The bug was fixed by adding an additional "length" argument to
make_scrambled_password_323() and make_scrambled_password() in
order to avoid String::c_ptr() calls for
PASSWORD()/OLD_PASSWORD().
However, since the make_scrambled_password[_323] functions are
a part of the client library ABI, the functions with the new
interfaces were implemented with the 'my_' prefix in their
names, with the old functions changed to be wrappers around
the new ones to maintain interface compatibility.
Diffstat (limited to 'sql/item_strfunc.cc')
| -rw-r--r-- | sql/item_strfunc.cc | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index bc2dcb9c61b..71d3a34cd27 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -1554,16 +1554,17 @@ String *Item_func_password::val_str(String *str) return 0; if (res->length() == 0) return &my_empty_string; - make_scrambled_password(tmp_value, res->c_ptr()); + my_make_scrambled_password(tmp_value, res->ptr(), res->length()); str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH, res->charset()); return str; } -char *Item_func_password::alloc(THD *thd, const char *password) +char *Item_func_password::alloc(THD *thd, const char *password, + size_t pass_len) { char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH+1); if (buff) - make_scrambled_password(buff, password); + my_make_scrambled_password(buff, password, pass_len); return buff; } @@ -1577,16 +1578,17 @@ String *Item_func_old_password::val_str(String *str) return 0; if (res->length() == 0) return &my_empty_string; - make_scrambled_password_323(tmp_value, res->c_ptr()); + my_make_scrambled_password_323(tmp_value, res->ptr(), res->length()); str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, res->charset()); return str; } -char *Item_func_old_password::alloc(THD *thd, const char *password) +char *Item_func_old_password::alloc(THD *thd, const char *password, + size_t pass_len) { char *buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1); if (buff) - make_scrambled_password_323(buff, password); + my_make_scrambled_password_323(buff, password, pass_len); return buff; } |