From 62be2289a30e572525e24acb5d95aec8f6199639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Honza=20Hor=C3=A1k?= Date: Thu, 27 Jun 2013 16:34:43 +0200 Subject: [PATCH] Apply fixes found by Coverity static analysis tool --- community-mysql-covscan-signexpr.patch | 16 +++++ community-mysql-covscan-stroverflow.patch | 73 +++++++++++++++++++++++ community-mysql.spec | 5 ++ 3 files changed, 94 insertions(+) create mode 100644 community-mysql-covscan-signexpr.patch create mode 100644 community-mysql-covscan-stroverflow.patch diff --git a/community-mysql-covscan-signexpr.patch b/community-mysql-covscan-signexpr.patch new file mode 100644 index 0000000..1bbb3db --- /dev/null +++ b/community-mysql-covscan-signexpr.patch @@ -0,0 +1,16 @@ +This issue has been found by Coverity - static analysis tool. + +mysql-5.5.31/strings/ctype-ucs2.c:1707:sign_extension – Suspicious implicit sign extension: "s[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. + +diff -up mysql-5.5.31/strings/ctype-ucs2.c.covscan1 mysql-5.5.31/strings/ctype-ucs2.c +--- mysql-5.5.31/strings/ctype-ucs2.c.covscan1 2013-06-14 12:12:29.663300314 +0200 ++++ mysql-5.5.31/strings/ctype-ucs2.c 2013-06-14 12:13:07.809299646 +0200 +@@ -1704,7 +1704,7 @@ my_utf32_uni(CHARSET_INFO *cs __attribut + { + if (s + 4 > e) + return MY_CS_TOOSMALL4; +- *pwc= (s[0] << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]); ++ *pwc= (((my_wc_t)s[0]) << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]); + return 4; + } + diff --git a/community-mysql-covscan-stroverflow.patch b/community-mysql-covscan-stroverflow.patch new file mode 100644 index 0000000..d671b45 --- /dev/null +++ b/community-mysql-covscan-stroverflow.patch @@ -0,0 +1,73 @@ +The following problems have been found by Coverity - static analysis tool. + +mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. + +mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. + +mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. + +diff -up mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow mysql-5.5.31/plugin/semisync/semisync_master.cc +--- mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow 2013-06-17 09:04:47.214621154 +0200 ++++ mysql-5.5.31/plugin/semisync/semisync_master.cc 2013-06-17 09:08:32.189617218 +0200 +@@ -552,7 +552,8 @@ int ReplSemiSyncMaster::reportReplyBinlo + + if (need_copy_send_pos) + { +- strcpy(reply_file_name_, log_file_name); ++ strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1); ++ reply_file_name_[sizeof(reply_file_name_)-1] = '\0'; + reply_file_pos_ = log_file_pos; + reply_file_name_inited_ = true; + +@@ -658,7 +659,8 @@ int ReplSemiSyncMaster::commitTrx(const + if (cmp <= 0) + { + /* This thd has a lower position, let's update the minimum info. */ +- strcpy(wait_file_name_, trx_wait_binlog_name); ++ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1); ++ wait_file_name_[sizeof(wait_file_name_)-1] = '\0'; + wait_file_pos_ = trx_wait_binlog_pos; + + rpl_semi_sync_master_wait_pos_backtraverse++; +@@ -669,7 +671,8 @@ int ReplSemiSyncMaster::commitTrx(const + } + else + { +- strcpy(wait_file_name_, trx_wait_binlog_name); ++ strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1); ++ wait_file_name_[sizeof(wait_file_name_)-1] = '\0'; + wait_file_pos_ = trx_wait_binlog_pos; + wait_file_name_inited_ = true; + + +mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest – You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc + +--- mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow 2013-06-17 10:51:04.940509594 +0200 ++++ mysql-5.5.31/sql/rpl_handler.cc 2013-06-17 10:51:08.959509523 +0200 +@@ -303,7 +303,8 @@ int Binlog_storage_delegate::after_flush + my_pthread_setspecific_ptr(RPL_TRANS_BINLOG_INFO, log_info); + } + +- strcpy(log_info->log_file, log_file+dirname_length(log_file)); ++ strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1); ++ log_info->log_file[sizeof(log_info->log_file)-1] = '\0'; + log_info->log_pos = log_pos; + + int ret= 0; + + +mysql-5.5.31/sql/sp_rcontext.h:87:buffer_size_warning – Calling strncpy with a maximum size argument of 512 bytes on destination array "this->m_message" of size 512 bytes might leave the destination string unterminated. + +diff -up mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow mysql-5.5.31/sql/sp_rcontext.h +--- mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow 2013-06-17 13:28:32.540344334 +0200 ++++ mysql-5.5.31/sql/sp_rcontext.h 2013-06-17 13:29:23.673343443 +0200 +@@ -84,7 +84,8 @@ public: + memcpy(m_sql_state, sqlstate, SQLSTATE_LENGTH); + m_sql_state[SQLSTATE_LENGTH]= '\0'; + +- strncpy(m_message, msg, MYSQL_ERRMSG_SIZE); ++ strncpy(m_message, msg, sizeof(m_message)-1); ++ m_message[sizeof(m_message)-1] = '\0'; + } + + void clear() diff --git a/community-mysql.spec b/community-mysql.spec index 2bb0e3b..374c542 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -63,6 +63,8 @@ Patch24: community-mysql-man-pages.patch Patch25: community-mysql-tmpdir.patch Patch26: community-mysql-cve-2013-1861.patch Patch27: community-mysql-innodbwarn.patch +Patch28: community-mysql-covscan-signexpr.patch +Patch29: community-mysql-covscan-stroverflow.patch BuildRequires: perl, readline-devel, openssl-devel BuildRequires: cmake, ncurses-devel, zlib-devel, libaio-devel @@ -248,6 +250,8 @@ the MySQL sources. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 +%patch29 -p1 # workaround for upstream bug #56342 rm -f mysql-test/t/ssl_8k_key-master.opt @@ -713,6 +717,7 @@ rm -f ${RPM_BUILD_ROOT}%{_datadir}/mysql/solaris/postinstall-solaris %changelog * Thu Jun 27 2013 Honza Horak 5.5.32-4 - Remove external man pages, upstream fixed man pages license +- Apply fixes found by Coverity static analysis tool * Fri Jun 14 2013 Honza Horak 5.5.32-3 - Use man pages from 5.5.30, because their license do not