Bug #13889741: HANDLE_FATAL_SIGNAL IN _DB_ENTER_ |

HANDLE_FATAL_SIGNAL IN STRNLEN Fixed the following bounds checking problems : 1. in check_if_legal_filename() make sure the null terminated string is long enough before accessing the bytes in it. Prevents pottential read-past-buffer-end 2. in my_wc_mb_filename() of the filename charset check for the end of the destination buffer before sending single byte characters into it. Prevents write-past-end-of-buffer (and garbaling stack in the cases reported here) errors. Added test cases.
author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2012-07-05 13:41:16 +0300
committer: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2012-07-05 13:41:16 +0300
commit: 048577429f3adcb27100ace3dd6fd4579bcd9e53 (patch)
tree: 091a241c2df3f614399530ce23b358c319d7c65c /strings
parent: 91c8e79fcd98bb586f32b22f5d67fcd5ae08ae28 (diff)
download: mariadb-git-048577429f3adcb27100ace3dd6fd4579bcd9e53.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/strings/ctype-utf8.c b/strings/ctype-utf8.c
index 205f8c61ddd..a0e69feedab 100644
--- a/strings/ctype-utf8.c
+++ b/strings/ctype-utf8.c
@@ -4326,6 +4326,10 @@ my_wc_mb_filename(CHARSET_INFO *cs __attribute__((unused)),
 {
   int code;
   char hex[]= "0123456789abcdef";
+
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+
   if (wc < 128 && filename_safe_char[wc])
   {
     *s= (uchar) wc;
author	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2012-07-05 13:41:16 +0300
committer	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2012-07-05 13:41:16 +0300
commit	048577429f3adcb27100ace3dd6fd4579bcd9e53 (patch)
tree	091a241c2df3f614399530ce23b358c319d7c65c /strings
parent	91c8e79fcd98bb586f32b22f5d67fcd5ae08ae28 (diff)
download	mariadb-git-048577429f3adcb27100ace3dd6fd4579bcd9e53.tar.gz