MDEV-23455 Hangs + Sig11 in unknown location(s) due to single complex FK query

Buffer overflow in ib_push_warning() fixed by using vsnprintf(). InnoDB parser was obsoleted by MDEV-16417. Thanks to Nikita Malyavin for review and suggestion.
author: Aleksey Midenkov <midenok@gmail.com> 2021-03-25 11:33:11 +0300
committer: Aleksey Midenkov <midenok@gmail.com> 2021-04-23 14:09:43 +0300
commit: 4649ba7493897b3a140ab354b88decd3f0540491 (patch)
tree: 0f0a6d22df366270f6b2b228d9f87110a995eef0 /storage
parent: 018d7440fdcf1baf3d0ce235092433d4ea46c485 (diff)
download: mariadb-git-4649ba7493897b3a140ab354b88decd3f0540491.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index c95e6646968..a725569fa6e 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -22600,8 +22600,8 @@ ib_push_warning(
 
 		va_start(args, format);
 		buf = (char *)my_malloc(MAX_BUF_SIZE, MYF(MY_WME));
-		vsprintf(buf,format, args);
-
+		buf[MAX_BUF_SIZE - 1] = 0;
+		vsnprintf(buf, MAX_BUF_SIZE - 1, format, args);
 		push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
 			convert_error_code_to_mysql((dberr_t)error, 0, thd),
 			buf);
@@ -22632,7 +22632,8 @@ ib_push_warning(
 	if (thd) {
 		va_start(args, format);
 		buf = (char *)my_malloc(MAX_BUF_SIZE, MYF(MY_WME));
-		vsprintf(buf,format, args);
+		buf[MAX_BUF_SIZE - 1] = 0;
+		vsnprintf(buf, MAX_BUF_SIZE - 1, format, args);
 
 		push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
 			convert_error_code_to_mysql((dberr_t)error, 0, thd),
author	Aleksey Midenkov <midenok@gmail.com>	2021-03-25 11:33:11 +0300
committer	Aleksey Midenkov <midenok@gmail.com>	2021-04-23 14:09:43 +0300
commit	4649ba7493897b3a140ab354b88decd3f0540491 (patch)
tree	0f0a6d22df366270f6b2b228d9f87110a995eef0 /storage
parent	018d7440fdcf1baf3d0ce235092433d4ea46c485 (diff)
download	mariadb-git-4649ba7493897b3a140ab354b88decd3f0540491.tar.gz