Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate trailing '\0'. An overflow by one character was therefore possible. CS corrects limits to prevent such overflows. mysql-test/r/variables.result: Try to overflow buffer used for setting system variables. Unpatched server should throw a valgrind warning here. Actual value and error message irrelevant, only length counts. mysql-test/t/variables.test: Try to overflow buffer used for setting system variables. sql/set_var.cc: Adjust maximum number of characters we can store in 'buff' by one as strmake() will write a terminating '\0'.
author: unknown <tnurnberg@sin.intern.azundris.com> 2007-10-18 10:47:54 +0200
committer: unknown <tnurnberg@sin.intern.azundris.com> 2007-10-18 10:47:54 +0200
commit: cd9d89a75d4cd5e9408cd34e6229910acf23cdc1 (patch)
tree: d5f9a4b59eab9b021a873e89e87187e3d3765c5b /sql
parent: 77d786b5a0cd303d30b9a22a044b916078551e6c (diff)
download: mariadb-git-cd9d89a75d4cd5e9408cd34e6229910acf23cdc1.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/set_var.cc b/sql/set_var.cc
index 520ee5c9f70..1d18eba30a8 100644
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
 					    &not_used));
     if (error_len)
     {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
       goto err;
     }
   }
author	unknown <tnurnberg@sin.intern.azundris.com>	2007-10-18 10:47:54 +0200
committer	unknown <tnurnberg@sin.intern.azundris.com>	2007-10-18 10:47:54 +0200
commit	cd9d89a75d4cd5e9408cd34e6229910acf23cdc1 (patch)
tree	d5f9a4b59eab9b021a873e89e87187e3d3765c5b /sql
parent	77d786b5a0cd303d30b9a22a044b916078551e6c (diff)
download	mariadb-git-cd9d89a75d4cd5e9408cd34e6229910acf23cdc1.tar.gz