Bug #27231: Server crash when dumping into outfile with long FIELDS ENCLOSED BY option

- Problem: data separators were copied to a fixed-size buffer
  on the stack; memcpy was used, without bounds checking; a
  server crash could result if long FIELDS ENCLOSED BY, etc.,
  was given
- Fix: write the separators directly, instead of copying to
  a buffer first (in select_export::send_data())


sql/sql_class.cc:
  In select_export::send_data(), write data separators
  directly, instead of copying into a fixed-size memory
  buffer before writing.  This avoids a buffer overflow
  when very large separators are specified.

1 files changed, 6 insertions, 8 deletions

diff --git a/sql/sql_class.cc b/sql/sql_class.cc
index c8d90848f6e..b187d29021a 100644
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -1048,7 +1048,6 @@ bool select_export::send_data(List<Item> &items)
   }
   row_count++;
   Item *item;
-  char *buff_ptr=buff;
   uint used_length=0,items_left=items.elements;
   List_iterator_fast<Item> li(items);
 
@@ -1148,19 +1147,18 @@ bool select_export::send_data(List<Item> &items)
 	  goto err;
       }
     }
-    buff_ptr=buff;				// Place separators here
     if (res && (!exchange->opt_enclosed || result_type == STRING_RESULT))
     {
-      memcpy(buff_ptr,exchange->enclosed->ptr(),exchange->enclosed->length());
-      buff_ptr+=exchange->enclosed->length();
+      if (my_b_write(&cache, (byte*) exchange->enclosed->ptr(),
+                     exchange->enclosed->length()))
+        goto err;
     }
     if (--items_left)
     {
-      memcpy(buff_ptr,exchange->field_term->ptr(),field_term_length);
-      buff_ptr+=field_term_length;
+      if (my_b_write(&cache, (byte*) exchange->field_term->ptr(),
+                     field_term_length))
+        goto err;
     }
-    if (my_b_write(&cache,(byte*) buff,(uint) (buff_ptr-buff)))
-      goto err;
   }
   if (my_b_write(&cache,(byte*) exchange->line_term->ptr(),
 		 exchange->line_term->length()))