From 348d14c7e20c3efcf52ea54fc2264757c5fa4024 Mon Sep 17 00:00:00 2001
From: Thayumanavar <thayumanavar.x.sachithanantha@oracle.com>
Date: Wed, 10 Apr 2013 11:50:41 +0530
Subject: BUG#16402143 - STACK CORRUPTION IN DBUG_EXPLAIN DESCRIPTION AND FIX:
 DBUG_EXPLAIN result in buffer overflow when the DEBUG variable values length
 exceed 255. In _db_explain_ function which call macro str_to_buf incorrectly
 passes the length of buf avaliable to strnmov as len+1. The fix calculates
 the avaliable space in buf and passes it to strnxmov.

---
 dbug/dbug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dbug/dbug.c b/dbug/dbug.c
index d55195255d4..0a3e32348b1 100644
--- a/dbug/dbug.c
+++ b/dbug/dbug.c
@@ -919,7 +919,7 @@ void _db_pop_()
       } while (0)
 #define str_to_buf(S)    do {                   \
         char_to_buf(',');                       \
-        buf=strnmov(buf, (S), len+1);           \
+        buf=strnmov(buf, (S), end-buf);         \
         if (buf >= end) goto overflow;          \
       } while (0)
 #define list_to_buf(l, f)  do {                 \
-- 
cgit v1.2.1