From 4649ba7493897b3a140ab354b88decd3f0540491 Mon Sep 17 00:00:00 2001
From: Aleksey Midenkov <midenok@gmail.com>
Date: Thu, 25 Mar 2021 11:33:11 +0300
Subject: MDEV-23455 Hangs + Sig11 in unknown location(s) due to single complex
 FK query

Buffer overflow in ib_push_warning() fixed by using vsnprintf().

InnoDB parser was obsoleted by MDEV-16417.

Thanks to Nikita Malyavin for review and suggestion.
---
 storage/innobase/handler/ha_innodb.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'storage')

diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index c95e6646968..a725569fa6e 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -22600,8 +22600,8 @@ ib_push_warning(
 
 		va_start(args, format);
 		buf = (char *)my_malloc(MAX_BUF_SIZE, MYF(MY_WME));
-		vsprintf(buf,format, args);
-
+		buf[MAX_BUF_SIZE - 1] = 0;
+		vsnprintf(buf, MAX_BUF_SIZE - 1, format, args);
 		push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
 			convert_error_code_to_mysql((dberr_t)error, 0, thd),
 			buf);
@@ -22632,7 +22632,8 @@ ib_push_warning(
 	if (thd) {
 		va_start(args, format);
 		buf = (char *)my_malloc(MAX_BUF_SIZE, MYF(MY_WME));
-		vsprintf(buf,format, args);
+		buf[MAX_BUF_SIZE - 1] = 0;
+		vsnprintf(buf, MAX_BUF_SIZE - 1, format, args);
 
 		push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
 			convert_error_code_to_mysql((dberr_t)error, 0, thd),
-- 
cgit v1.2.1