rpms/mysql8.0
7
0
Fork 0
Code Issues Pull Requests Releases Activity
bd92dc30da
mysql8.0/community-mysql-string-overflow.patch
Honza Horák 535f967c18 Update to 5.6.14
2024-02-05 16:59:12 +01:00

39 lines
2.0 KiB
Diff
Raw Blame History

These issues were found by Coverity static analysis tool, for more info
see messages by particular fixes (messages belong to 5.1.61).
Filed upstream at http://bugs.mysql.com/bug.php?id=64631
Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
diff -up mysql-5.6.10/sql/sql_prepare.cc.orig mysql-5.6.10/sql/sql_prepare.cc
--- mysql-5.6.10/sql/sql_prepare.cc.orig 2013-01-22 17:54:50.000000000 +0100
+++ mysql-5.6.10/sql/sql_prepare.cc 2013-02-19 15:50:53.257150632 +0100
@@ -2956,7 +2956,7 @@ void mysql_stmt_get_longdata(THD *thd, c
{
stmt->state= Query_arena::STMT_ERROR;
stmt->last_errno= thd->get_stmt_da()->sql_errno();
- strncpy(stmt->last_error, thd->get_stmt_da()->message(), MYSQL_ERRMSG_SIZE);
+ strncpy(stmt->last_error, thd->get_stmt_da()->message(), sizeof(stmt->last_error)-1);
}
thd->set_stmt_da(save_stmt_da);
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.6.10/sql/sql_trigger.cc.orig mysql-5.6.10/sql/sql_trigger.cc
--- mysql-5.6.10/sql/sql_trigger.cc.orig 2013-01-22 17:54:50.000000000 +0100
+++ mysql-5.6.10/sql/sql_trigger.cc 2013-02-19 16:01:10.605885117 +0100
@@ -2303,7 +2303,7 @@ void Table_triggers_list::mark_fields_us
void Table_triggers_list::set_parse_error_message(char *error_message)
{
m_has_unparseable_trigger= true;
- strcpy(m_parse_error_message, error_message);
+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
}
Reference in New Issue View Git Blame Copy Permalink