mysql8.4/community-mysql-string-overflow.patch

These issues were found by Coverity static analysis tool, for more info
see messages by particular fixes (messages belong to 5.1.61).

Filed upstream at http://bugs.mysql.com/bug.php?id=64631


Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.

diff -up mysql-5.6.10/sql/sql_prepare.cc.orig mysql-5.6.10/sql/sql_prepare.cc
--- mysql-5.6.10/sql/sql_prepare.cc.orig	2013-01-22 17:54:50.000000000 +0100
+++ mysql-5.6.10/sql/sql_prepare.cc	2013-02-19 15:50:53.257150632 +0100
@@ -2956,7 +2956,7 @@ void mysql_stmt_get_longdata(THD *thd, c
   {
     stmt->state= Query_arena::STMT_ERROR;
     stmt->last_errno= thd->get_stmt_da()->sql_errno();
-    strncpy(stmt->last_error, thd->get_stmt_da()->message(), MYSQL_ERRMSG_SIZE);
+    strncpy(stmt->last_error, thd->get_stmt_da()->message(), sizeof(stmt->last_error)-1);
   }
   thd->set_stmt_da(save_stmt_da);


Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.

diff -up mysql-5.6.10/sql/sql_trigger.cc.orig mysql-5.6.10/sql/sql_trigger.cc
--- mysql-5.6.10/sql/sql_trigger.cc.orig	2013-01-22 17:54:50.000000000 +0100
+++ mysql-5.6.10/sql/sql_trigger.cc	2013-02-19 16:01:10.605885117 +0100
@@ -2303,7 +2303,7 @@ void Table_triggers_list::mark_fields_us
 void Table_triggers_list::set_parse_error_message(char *error_message)
 {
   m_has_unparseable_trigger= true;
-  strcpy(m_parse_error_message, error_message);
+  strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
 }
Rebase patches to not leave backup files when not applied smoothly 2012-12-06 21:53:33 +00:00			`These issues were found by Coverity static analysis tool, for more info`
Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00			`see messages by particular fixes (messages belong to 5.1.61).`

Update to MySQL 5.5.22 2012-03-24 05:06:31 +00:00			`Filed upstream at http://bugs.mysql.com/bug.php?id=64631`


Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00			`Error: BUFFER_SIZE_WARNING:`
			`/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.`

Update to 5.6.14 2013-10-09 15:55:08 +00:00			`diff -up mysql-5.6.10/sql/sql_prepare.cc.orig mysql-5.6.10/sql/sql_prepare.cc`
			`--- mysql-5.6.10/sql/sql_prepare.cc.orig 2013-01-22 17:54:50.000000000 +0100`
			`+++ mysql-5.6.10/sql/sql_prepare.cc 2013-02-19 15:50:53.257150632 +0100`
			`@@ -2956,7 +2956,7 @@ void mysql_stmt_get_longdata(THD *thd, c`
Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00			`{`
			`stmt->state= Query_arena::STMT_ERROR;`
Update to 5.6.14 2013-10-09 15:55:08 +00:00			`stmt->last_errno= thd->get_stmt_da()->sql_errno();`
			`- strncpy(stmt->last_error, thd->get_stmt_da()->message(), MYSQL_ERRMSG_SIZE);`
			`+ strncpy(stmt->last_error, thd->get_stmt_da()->message(), sizeof(stmt->last_error)-1);`
Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00			`}`
Update to 5.6.14 2013-10-09 15:55:08 +00:00			`thd->set_stmt_da(save_stmt_da);`
Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00

			`Error: STRING_OVERFLOW:`
			`/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.`
			`/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.`

Update to 5.6.14 2013-10-09 15:55:08 +00:00			`diff -up mysql-5.6.10/sql/sql_trigger.cc.orig mysql-5.6.10/sql/sql_trigger.cc`
			`--- mysql-5.6.10/sql/sql_trigger.cc.orig 2013-01-22 17:54:50.000000000 +0100`
			`+++ mysql-5.6.10/sql/sql_trigger.cc 2013-02-19 16:01:10.605885117 +0100`
			`@@ -2303,7 +2303,7 @@ void Table_triggers_list::mark_fields_us`
Fix several strcpy calls to check destination size 2012-03-13 17:05:56 +00:00			`void Table_triggers_list::set_parse_error_message(char *error_message)`
			`{`
			`m_has_unparseable_trigger= true;`
			`- strcpy(m_parse_error_message, error_message);`
			`+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);`
			`}`

Update to MySQL 5.5.23 2012-04-28 03:51:49 +00:00