rpms
/
mariadb
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Apply fixes found by Coverity static analysis tool

This commit is contained in:
Honza Horák 2013-06-27 16:40:14 +02:00
parent 9a1819acac
commit af63a8bf7c
3 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
mariadb-covscan-signexpr.patch Normal file
View File

@ -0,0 +1,16 @@
This issue has been found by Coverity - static analysis tool.
mysql-5.5.31/strings/ctype-ucs2.c:1707:sign_extension Suspicious implicit sign extension: "s[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
diff -up mysql-5.5.31/strings/ctype-ucs2.c.covscan1 mysql-5.5.31/strings/ctype-ucs2.c
--- mysql-5.5.31/strings/ctype-ucs2.c.covscan1 2013-06-14 12:12:29.663300314 +0200
+++ mysql-5.5.31/strings/ctype-ucs2.c 2013-06-14 12:13:07.809299646 +0200
@@ -1704,7 +1704,7 @@ my_utf32_uni(CHARSET_INFO *cs __attribut
{
if (s + 4 > e)
return MY_CS_TOOSMALL4;
- *pwc= (s[0] << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]);
+ *pwc= (((my_wc_t)s[0]) << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]);
return 4;
}

73
mariadb-covscan-stroverflow.patch Normal file
View File

@ -0,0 +1,73 @@
The following problems have been found by Coverity - static analysis tool.
mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow mysql-5.5.31/plugin/semisync/semisync_master.cc
--- mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow 2013-06-17 09:04:47.214621154 +0200
+++ mysql-5.5.31/plugin/semisync/semisync_master.cc 2013-06-17 09:08:32.189617218 +0200
@@ -552,7 +552,8 @@ int ReplSemiSyncMaster::reportReplyBinlo
if (need_copy_send_pos)
{
- strcpy(reply_file_name_, log_file_name);
+ strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1);
+ reply_file_name_[sizeof(reply_file_name_)-1] = '\0';
reply_file_pos_ = log_file_pos;
reply_file_name_inited_ = true;
@@ -658,7 +659,8 @@ int ReplSemiSyncMaster::commitTrx(const
if (cmp <= 0)
{
/* This thd has a lower position, let's update the minimum info. */
- strcpy(wait_file_name_, trx_wait_binlog_name);
+ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+ wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
wait_file_pos_ = trx_wait_binlog_pos;
rpl_semi_sync_master_wait_pos_backtraverse++;
@@ -669,7 +671,8 @@ int ReplSemiSyncMaster::commitTrx(const
}
else
{
- strcpy(wait_file_name_, trx_wait_binlog_name);
+ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+ wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
wait_file_pos_ = trx_wait_binlog_pos;
wait_file_name_inited_ = true;
mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc
--- mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow 2013-06-17 10:51:04.940509594 +0200
+++ mysql-5.5.31/sql/rpl_handler.cc 2013-06-17 10:51:08.959509523 +0200
@@ -303,7 +303,8 @@ int Binlog_storage_delegate::after_flush
my_pthread_setspecific_ptr(RPL_TRANS_BINLOG_INFO, log_info);
}
- strcpy(log_info->log_file, log_file+dirname_length(log_file));
+ strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1);
+ log_info->log_file[sizeof(log_info->log_file)-1] = '\0';
log_info->log_pos = log_pos;
int ret= 0;
mysql-5.5.31/sql/sp_rcontext.h:87:buffer_size_warning Calling strncpy with a maximum size argument of 512 bytes on destination array "this->m_message" of size 512 bytes might leave the destination string unterminated.
diff -up mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow mysql-5.5.31/sql/sp_rcontext.h
--- mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow 2013-06-17 13:28:32.540344334 +0200
+++ mysql-5.5.31/sql/sp_rcontext.h 2013-06-17 13:29:23.673343443 +0200
@@ -84,7 +84,8 @@ public:
memcpy(m_sql_state, sqlstate, SQLSTATE_LENGTH);
m_sql_state[SQLSTATE_LENGTH]= '\0';
- strncpy(m_message, msg, MYSQL_ERRMSG_SIZE);
+ strncpy(m_message, msg, sizeof(m_message)-1);
+ m_message[sizeof(m_message)-1] = '\0';
}
void clear()

9
mariadb.spec
View File

@ -1,6 +1,6 @@
Name: mariadb
Version: 5.5.31
Release: 4%{?dist}
Release: 5%{?dist}
Epoch: 1
Summary: A community developed branch of MySQL
@ -62,6 +62,8 @@ Patch13: mariadb-man-plugin.patch
Patch14: mariadb-basedir.patch
Patch15: mariadb-tmpdir.patch
Patch16: mariadb-man-pages.patch
Patch17: mariadb-covscan-signexpr.patch
Patch18: mariadb-covscan-stroverflow.patch
BuildRequires: perl, readline-devel, openssl-devel
BuildRequires: cmake, ncurses-devel, zlib-devel, libaio-devel
@ -263,6 +265,8 @@ MariaDB is a community developed branch of MySQL.
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
# workaround for upstream bug #56342
rm -f mysql-test/t/ssl_8k_key-master.opt
@ -775,6 +779,9 @@ fi
%{_mandir}/man1/mysql_client_test.1*
%changelog
* Thu Jun 27 2013 Honza Horak <hhorak@redhat.com> 5.5.31-5
- Apply fixes found by Coverity static analysis tool
* Wed Jun 19 2013 Honza Horak <hhorak@redhat.com> 5.5.31-4
- Do not use pretrans scriptlet, which doesn't work in anaconda
Resolves: #975348