5.5-merge

1 files changed, 17 insertions, 15 deletions

diff --git a/sql/password.c b/sql/password.c
index 0e2b454ff4d..1b3aa8f356d 100644
--- a/sql/password.c
+++ b/sql/password.c
@@ -176,21 +176,16 @@ void scramble_323(char *to, const char *message, const char *password)
 }
 
 
-/*
-    Check scrambled message
-    Used in pre 4.1 password handling
-  SYNOPSIS
-    check_scramble_323()
-    scrambled  scrambled message to check.
-    message    original random message which was used for scrambling; must
-               be exactly SCRAMBLED_LENGTH_323 bytes long and
-               NULL-terminated.
-    hash_pass  password which should be used for scrambling
-    All params are IN.
+/**
+  Check scrambled message. Used in pre 4.1 password handling.
 
-  RETURN VALUE
-    0 - password correct
-   !0 - password invalid
+  @param scrambled  Scrambled message to check.
+  @param message    Original random message which was used for scrambling.
+  @param hash_pass  Password which should be used for scrambling.
+
+  @remark scrambled and message must be SCRAMBLED_LENGTH_323 bytes long.
+
+  @return FALSE if password is correct, TRUE otherwise.
 */
 
 my_bool
@@ -199,9 +194,16 @@ check_scramble_323(const unsigned char *scrambled, const char *message,
 {
   struct my_rnd_struct rand_st;
   ulong hash_message[2];
-  uchar buff[16],*to,extra;                      /* Big enough for check */
+  /* Big enough for checks. */
+  uchar buff[16], scrambled_buff[SCRAMBLE_LENGTH_323 + 1];
+  uchar *to, extra;
   const uchar *pos;
 
+  /* Ensure that the scrambled message is null-terminated. */
+  memcpy(scrambled_buff, scrambled, SCRAMBLE_LENGTH_323);
+  scrambled_buff[SCRAMBLE_LENGTH_323]= '\0';
+  scrambled= scrambled_buff;
+
   hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
   my_rnd_init(&rand_st,hash_pass[0] ^ hash_message[0],
              hash_pass[1] ^ hash_message[1]);