From cb2974156823977fd2c700c64ff0867183b3f744 Mon Sep 17 00:00:00 2001
From: Shishir Jaiswal <shishir.j.jaiswal@oracle.com>
Date: Mon, 16 May 2016 13:46:49 +0530
Subject: Bug#21977380 - POSSIBLE BUFFER OVERFLOW ISSUES

DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.

ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.

FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
  NULL already and setting it to NULL thereafter at few
  places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes
---
 regex/split.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'regex')

diff --git a/regex/split.c b/regex/split.c
index bd2a53c01e3..a3a11f793ed 100644
--- a/regex/split.c
+++ b/regex/split.c
@@ -163,6 +163,10 @@ char *argv[];
 		}
 	else if (argc > 3)
 		for (n = atoi(argv[3]); n > 0; n--) {
+                        if(sizeof(buf)-1 < strlen(argv[1]))
+                        {
+                          exit(EXIT_FAILURE);
+                        }
 			(void) strcpy(buf, argv[1]);
 			(void) split(buf, fields, MNF, argv[2]);
 		}
-- 
cgit v1.2.1