diff options
author | unknown <andrey@example.com> | 2006-09-27 21:31:34 +0200 |
---|---|---|
committer | unknown <andrey@example.com> | 2006-09-27 21:31:34 +0200 |
commit | 18651379578b29a5a29201e334585cd793b51c11 (patch) | |
tree | a5596e571d8f602233639309301cdef4243db21d /sql/sp.cc | |
parent | ac4b66236342910ebfb8aed19ae46113df3465c6 (diff) | |
parent | fcb8687ad98ea57bfe8d12d36af1432561054565 (diff) | |
download | mariadb-git-18651379578b29a5a29201e334585cd793b51c11.tar.gz |
Merge example.com:/work/mysql-5.0-runtime
into example.com:/work/mysql-5.1-runtime-fresh2
mysql-test/t/sp.test:
Auto merged
sql/sp.cc:
Auto merged
Diffstat (limited to 'sql/sp.cc')
-rw-r--r-- | sql/sp.cc | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sql/sp.cc b/sql/sp.cc index dcc05bef5cf..470718d8cdc 100644 --- a/sql/sp.cc +++ b/sql/sp.cc @@ -1605,7 +1605,17 @@ sp_cache_routines_and_add_tables_aux(THD *thd, LEX *lex, */ if (!thd->net.report_error) { - char n[NAME_LEN*2+2]; + /* + SP allows full NAME_LEN chars thus he have to allocate enough + size in bytes. Otherwise there is stack overrun could happen + if multibyte sequence is `name`. `db` is still safe because the + rest of the server checks agains NAME_LEN bytes and not chars. + Hence, the overrun happens only if the name is in length > 32 and + uses multibyte (cyrillic, greek, etc.) + + !! Change 3 with SYSTEM_CHARSET_MBMAXLEN when it's defined. + */ + char n[NAME_LEN*3*2+2]; /* m_qname.str is not always \0 terminated */ memcpy(n, name.m_qname.str, name.m_qname.length); |