mariadb/mariadb-covscan-stroverflow.patch

74 lines
3.7 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The following problems have been found by Coverity - static analysis tool.
mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow mysql-5.5.31/plugin/semisync/semisync_master.cc
--- mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow 2013-06-17 09:04:47.214621154 +0200
+++ mysql-5.5.31/plugin/semisync/semisync_master.cc 2013-06-17 09:08:32.189617218 +0200
@@ -552,7 +552,8 @@ int ReplSemiSyncMaster::reportReplyBinlo
if (need_copy_send_pos)
{
- strcpy(reply_file_name_, log_file_name);
+ strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1);
+ reply_file_name_[sizeof(reply_file_name_)-1] = '\0';
reply_file_pos_ = log_file_pos;
reply_file_name_inited_ = true;
@@ -658,7 +659,8 @@ int ReplSemiSyncMaster::commitTrx(const
if (cmp <= 0)
{
/* This thd has a lower position, let's update the minimum info. */
- strcpy(wait_file_name_, trx_wait_binlog_name);
+ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+ wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
wait_file_pos_ = trx_wait_binlog_pos;
rpl_semi_sync_master_wait_pos_backtraverse++;
@@ -669,7 +671,8 @@ int ReplSemiSyncMaster::commitTrx(const
}
else
{
- strcpy(wait_file_name_, trx_wait_binlog_name);
+ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+ wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
wait_file_pos_ = trx_wait_binlog_pos;
wait_file_name_inited_ = true;
mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc
--- mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow 2013-06-17 10:51:04.940509594 +0200
+++ mysql-5.5.31/sql/rpl_handler.cc 2013-06-17 10:51:08.959509523 +0200
@@ -303,7 +303,8 @@ int Binlog_storage_delegate::after_flush
my_pthread_setspecific_ptr(RPL_TRANS_BINLOG_INFO, log_info);
}
- strcpy(log_info->log_file, log_file+dirname_length(log_file));
+ strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1);
+ log_info->log_file[sizeof(log_info->log_file)-1] = '\0';
log_info->log_pos = log_pos;
int ret= 0;
mysql-5.5.31/sql/sp_rcontext.h:87:buffer_size_warning Calling strncpy with a maximum size argument of 512 bytes on destination array "this->m_message" of size 512 bytes might leave the destination string unterminated.
diff -up mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow mysql-5.5.31/sql/sp_rcontext.h
--- mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow 2013-06-17 13:28:32.540344334 +0200
+++ mysql-5.5.31/sql/sp_rcontext.h 2013-06-17 13:29:23.673343443 +0200
@@ -84,7 +84,8 @@ public:
memcpy(m_sql_state, sqlstate, SQLSTATE_LENGTH);
m_sql_state[SQLSTATE_LENGTH]= '\0';
- strncpy(m_message, msg, MYSQL_ERRMSG_SIZE);
+ strncpy(m_message, msg, sizeof(m_message)-1);
+ m_message[sizeof(m_message)-1] = '\0';
}
void clear()