diff options
author | Timothy Smith <timothy.smith@sun.com> | 2008-12-14 12:21:24 -0700 |
---|---|---|
committer | Timothy Smith <timothy.smith@sun.com> | 2008-12-14 12:21:24 -0700 |
commit | 1c0d9aa0825ec1341a31433d3f05e56f22def977 (patch) | |
tree | 00137a7948051edeed2a7b4d3a607783d738f12b /storage | |
parent | efbac9aabc7245afa12b3ec954ff4b65766cc2d1 (diff) | |
download | mariadb-git-1c0d9aa0825ec1341a31433d3f05e56f22def977.tar.gz |
Complete application of InnoDB snapshot innodb-5.1-ss2485, part 2. Fixes
Bug #36149: Read buffer overflow in srv0start.c found during "make test"
Detailed revision comments:
r2485 | vasil | 2008-05-28 16:01:14 +0300 (Wed, 28 May 2008) | 9 lines
branches/5.1:
Fix Bug#36149 Read buffer overflow in srv0start.c found during "make test"
Use strncmp(3) instead of memcmp(3) to avoid reading past end of the string
if it is empty (*str == '\0'). This bug is _not_ a buffer overflow.
Discussed with: Sunny (via IM)
Diffstat (limited to 'storage')
-rw-r--r-- | storage/innobase/srv/srv0start.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/storage/innobase/srv/srv0start.c b/storage/innobase/srv/srv0start.c index 979d882307a..ea88039f3dd 100644 --- a/storage/innobase/srv/srv0start.c +++ b/storage/innobase/srv/srv0start.c @@ -202,13 +202,13 @@ srv_parse_data_file_paths_and_sizes( str = srv_parse_megabytes(str, &size); - if (0 == memcmp(str, ":autoextend", - (sizeof ":autoextend") - 1)) { + if (0 == strncmp(str, ":autoextend", + (sizeof ":autoextend") - 1)) { str += (sizeof ":autoextend") - 1; - if (0 == memcmp(str, ":max:", - (sizeof ":max:") - 1)) { + if (0 == strncmp(str, ":max:", + (sizeof ":max:") - 1)) { str += (sizeof ":max:") - 1; @@ -290,14 +290,15 @@ srv_parse_data_file_paths_and_sizes( (*data_file_names)[i] = path; (*data_file_sizes)[i] = size; - if (0 == memcmp(str, ":autoextend", - (sizeof ":autoextend") - 1)) { + if (0 == strncmp(str, ":autoextend", + (sizeof ":autoextend") - 1)) { *is_auto_extending = TRUE; str += (sizeof ":autoextend") - 1; - if (0 == memcmp(str, ":max:", (sizeof ":max:") - 1)) { + if (0 == strncmp(str, ":max:", + (sizeof ":max:") - 1)) { str += (sizeof ":max:") - 1; |