mysql8.0/community-mysql-string-overflow.patch

58 lines
2.9 KiB
Diff
Raw Normal View History

These issues were found by Coverity static analysis tool, for more info
see messages by particular fixes (messages belong to 5.1.61).
2012-03-24 05:06:31 +00:00
Filed upstream at http://bugs.mysql.com/bug.php?id=64631
Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
diff -up mysql-5.5.28/sql/sql_prepare.cc.p20 mysql-5.5.28/sql/sql_prepare.cc
--- mysql-5.5.28/sql/sql_prepare.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/sql/sql_prepare.cc 2012-12-06 14:27:28.647087401 +0100
@@ -2879,7 +2879,7 @@ void mysql_stmt_get_longdata(THD *thd, c
{
stmt->state= Query_arena::STMT_ERROR;
stmt->last_errno= thd->stmt_da->sql_errno();
- strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
+ strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
}
thd->stmt_da= save_stmt_da;
thd->warning_info= save_warinig_info;
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.28/sql/sql_trigger.cc.p20 mysql-5.5.28/sql/sql_trigger.cc
--- mysql-5.5.28/sql/sql_trigger.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/sql/sql_trigger.cc 2012-12-06 14:27:28.648087398 +0100
@@ -2260,7 +2260,7 @@ void Table_triggers_list::mark_fields_us
void Table_triggers_list::set_parse_error_message(char *error_message)
{
m_has_unparseable_trigger= true;
- strcpy(m_parse_error_message, error_message);
+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
}
2012-04-28 03:51:49 +00:00
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 mysql-5.5.28/storage/innobase/handler/ha_innodb.cc
--- mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/storage/innobase/handler/ha_innodb.cc 2012-12-06 14:27:28.653087416 +0100
@@ -7054,7 +7054,7 @@ ha_innobase::create(
2012-04-28 03:51:49 +00:00
ut_a(strlen(name) < sizeof(name2));
- strcpy(name2, name);
+ strncpy(name2, name, sizeof(name2)-1);
normalize_table_name(norm_name, name2);