diff options
| author | unknown <lars-erik.bjork@sun.com> | 2009-12-14 00:58:16 +0100 |
|---|---|---|
| committer | unknown <lars-erik.bjork@sun.com> | 2009-12-14 00:58:16 +0100 |
| commit | 71c54b8c0cb146de893bbf6006b8d21a0ac2a270 (patch) | |
| tree | 8d11f6136aed9d483aee33115956b3d751c1f8da /sql/sql_update.cc | |
| parent | 794e2063471998a545e266c7268efaf2ba470d31 (diff) | |
| download | mariadb-git-71c54b8c0cb146de893bbf6006b8d21a0ac2a270.tar.gz | |
This is a patch for Bug#48500
5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.
errmsg.txt contains this:
ER_UPDATE_INFO
rum "Linii identificate (matched): %ld Schimbate: %ld Atentionari
(warnings): %ld"
When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
a buffer overflow can happen.
The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size,
instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings.
To avoid potential crashes, we will also use my_snprintf instead of
sprintf.
sql/sql_update.cc:
sing MYSQL_ERRMSG_SIZE instead of STRING_BUFFER_USUAL_SIZE.
Using my_snprintf instead of sprintf.
Diffstat (limited to 'sql/sql_update.cc')
| -rw-r--r-- | sql/sql_update.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sql/sql_update.cc b/sql/sql_update.cc index 06d1bcaa8fb..35ae0febcec 100644 --- a/sql/sql_update.cc +++ b/sql/sql_update.cc @@ -600,8 +600,8 @@ int mysql_update(THD *thd, if (error < 0) { - char buff[STRING_BUFFER_USUAL_SIZE]; - sprintf(buff, ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated, + char buff[MYSQL_ERRMSG_SIZE]; + my_snprintf(buff, sizeof(buff), ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated, (ulong) thd->cuted_fields); thd->row_count_func= (thd->client_capabilities & CLIENT_FOUND_ROWS) ? found : updated; |