From f20d15d07faa14a865148e6d965a908138e36bbf Mon Sep 17 00:00:00 2001 From: Jim Winstead Date: Mon, 23 Nov 2009 13:54:27 -0800 Subject: Fix C99 aliasing violation due to mismatched types that were papered over with a cast. (Bug #48284) --- libmysql/libmysql.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libmysql') diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index 77ff2a01d7c..98955c8fc89 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -2285,7 +2285,7 @@ mysql_stmt_param_metadata(MYSQL_STMT *stmt) /* Store type of parameter in network buffer. */ -static void store_param_type(char **pos, MYSQL_BIND *param) +static void store_param_type(unsigned char **pos, MYSQL_BIND *param) { uint typecode= param->buffer_type | (param->is_unsigned ? 32768 : 0); int2store(*pos, typecode); @@ -2565,7 +2565,7 @@ int cli_stmt_execute(MYSQL_STMT *stmt) that is sent to the server. */ for (param= stmt->params; param < param_end ; param++) - store_param_type((char**) &net->write_pos, param); + store_param_type(&net->write_pos, param); } for (param= stmt->params; param < param_end; param++) -- cgit v1.2.1 From 06a1df91813ea2c39f7312bcf8af972c7e8a926f Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Thu, 17 Dec 2009 15:58:38 -0200 Subject: Bug#48983: Bad strmake calls (length one too long) The problem is a somewhat common misusage of the strmake function. The strmake(dst, src, len) function writes at most /len/ bytes to the string pointed to by src, not including the trailing null byte. Hence, if /len/ is the exact length of the destination buffer, a one byte buffer overflow can occur if the length of the source string is equal to or greater than /len/. client/mysqldump.c: Make room for the trailing null byte. libmysql/libmysql.c: Add comment, there is enough room in the buffer. Increase buffer length, two strings are concatenated. libmysqld/lib_sql.cc: Make room for the trailing null byte. mysys/default.c: Make room for the trailing null bytes. mysys/mf_pack.c: Make room for the trailing null byte. server-tools/instance-manager/commands.cc: Copy only if overflow isn't possible in both cases. server-tools/instance-manager/listener.cc: Make room for the trailing null byte. sql/log.cc: Make room for the trailing null byte. sql/sp_pcontext.h: Cosmetic fix. sql/sql_acl.cc: MAX_HOSTNAME already specifies space for the trailing null byte. sql/sql_parse.cc: Make room for the trailing null byte. sql/sql_table.cc: Make room for the trailing null byte. --- libmysql/libmysql.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'libmysql') diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index d287679bebb..62feae1b56e 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -712,7 +712,10 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, if (!passwd) passwd=""; - /* Store user into the buffer */ + /* + Store user into the buffer. + Advance position as strmake returns a pointer to the closing NUL. + */ end= strmake(end, user, USERNAME_LENGTH) + 1; /* write scrambled password according to server capabilities */ @@ -1252,7 +1255,7 @@ mysql_list_fields(MYSQL *mysql, const char *table, const char *wild) { MYSQL_RES *result; MYSQL_FIELD *fields; - char buff[257],*end; + char buff[258],*end; DBUG_ENTER("mysql_list_fields"); DBUG_PRINT("enter",("table: '%s' wild: '%s'",table,wild ? wild : "")); -- cgit v1.2.1