diff options
author | Marc Alff <marc.alff@oracle.com> | 2010-03-04 18:36:54 -0700 |
---|---|---|
committer | Marc Alff <marc.alff@oracle.com> | 2010-03-04 18:36:54 -0700 |
commit | 01b19dbbf49e055e95e65f54555f040c76949902 (patch) | |
tree | e3724205aab8d3462f4c876645f615b1ddf91416 /storage/perfschema | |
parent | 366a68bb460fea577719335efcfac8e14f13a077 (diff) | |
download | mariadb-git-01b19dbbf49e055e95e65f54555f040c76949902.tar.gz |
Bug#51738 Unit test pfs_instr-t crashes
The unit test pfs_instr-t:
- generates a very long (10,000) bytes file name
- calls find_or_create_file.
This leads to a buffer overflow in mysys in my_realpath(),
because my_realpath and mysys file APIs in general do not
test for input parameters: mysys assumes every file name
is less that FN_REFLEN in length.
Calling find_or_create_file with a very long file name is likely
to happen when instrumenting third party code that does not use mysys,
so this test is legitimate.
The fix is to make find_or_create_file in the performance schema
more robust in this case.
Diffstat (limited to 'storage/perfschema')
-rw-r--r-- | storage/perfschema/pfs_instr.cc | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/storage/perfschema/pfs_instr.cc b/storage/perfschema/pfs_instr.cc index 28b54cc6979..fbaac621dfb 100644 --- a/storage/perfschema/pfs_instr.cc +++ b/storage/perfschema/pfs_instr.cc @@ -746,6 +746,26 @@ find_or_create_file(PFS_thread *thread, PFS_file_class *klass, } } + char safe_buffer[FN_REFLEN]; + const char *safe_filename; + + if (len >= FN_REFLEN) + { + /* + The instrumented code uses file names that exceeds FN_REFLEN. + This could be legal for instrumentation on non mysys APIs, + so we support it. + Truncate the file name so that: + - it fits into pfs->m_filename + - it is safe to use mysys apis to normalize the file name. + */ + memcpy(safe_buffer, filename, FN_REFLEN - 2); + safe_buffer[FN_REFLEN - 1]= 0; + safe_filename= safe_buffer; + } + else + safe_filename= filename; + /* Normalize the file name to avoid duplicates when using aliases: - absolute or relative paths @@ -759,7 +779,7 @@ find_or_create_file(PFS_thread *thread, PFS_file_class *klass, Ignore errors, the file may not exist. my_realpath always provide a best effort result in buffer. */ - (void) my_realpath(buffer, filename, MYF(0)); + (void) my_realpath(buffer, safe_filename, MYF(0)); normalized_filename= buffer; normalized_length= strlen(normalized_filename); |