Complete application of InnoDB snapshot innodb-5.1-ss2485, part 2. Fixes

Bug #36149: Read buffer overflow in srv0start.c found during "make test"


Detailed revision comments:

r2485 | vasil | 2008-05-28 16:01:14 +0300 (Wed, 28 May 2008) | 9 lines
branches/5.1:

Fix Bug#36149 Read buffer overflow in srv0start.c found during "make test"

Use strncmp(3) instead of memcmp(3) to avoid reading past end of the string
if it is empty (*str == '\0'). This bug is _not_ a buffer overflow.

Discussed with:	Sunny (via IM)

1 files changed, 8 insertions, 7 deletions

diff --git a/storage/innobase/srv/srv0start.c b/storage/innobase/srv/srv0start.c
index 979d882307a..ea88039f3dd 100644
--- a/storage/innobase/srv/srv0start.c
+++ b/storage/innobase/srv/srv0start.c
@@ -202,13 +202,13 @@ srv_parse_data_file_paths_and_sizes(
 
 		str = srv_parse_megabytes(str, &size);
 
-		if (0 == memcmp(str, ":autoextend",
-				(sizeof ":autoextend") - 1)) {
+		if (0 == strncmp(str, ":autoextend",
+				 (sizeof ":autoextend") - 1)) {
 
 			str += (sizeof ":autoextend") - 1;
 
-			if (0 == memcmp(str, ":max:",
-					(sizeof ":max:") - 1)) {
+			if (0 == strncmp(str, ":max:",
+					 (sizeof ":max:") - 1)) {
 
 				str += (sizeof ":max:") - 1;
 
@@ -290,14 +290,15 @@ srv_parse_data_file_paths_and_sizes(
 		(*data_file_names)[i] = path;
 		(*data_file_sizes)[i] = size;
 
-		if (0 == memcmp(str, ":autoextend",
-				(sizeof ":autoextend") - 1)) {
+		if (0 == strncmp(str, ":autoextend",
+				 (sizeof ":autoextend") - 1)) {
 
 			*is_auto_extending = TRUE;
 
 			str += (sizeof ":autoextend") - 1;
 
-			if (0 == memcmp(str, ":max:", (sizeof ":max:") - 1)) {
+			if (0 == strncmp(str, ":max:",
+					 (sizeof ":max:") - 1)) {
 
 				str += (sizeof ":max:") - 1;