mysql8.4/mysql-string-overflow.patch

58 lines
2.8 KiB
Diff
Raw Normal View History

These issues were found by Coverity static analysis tool, for more info
see messages by particular fixes (messages belong to 5.1.61).
2012-03-24 05:06:31 +00:00
Filed upstream at http://bugs.mysql.com/bug.php?id=64631
Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
2012-04-28 03:51:49 +00:00
diff -Naur mysql-5.5.23.orig/sql/sql_prepare.cc mysql-5.5.23/sql/sql_prepare.cc
--- mysql-5.5.23.orig/sql/sql_prepare.cc 2012-03-29 15:07:12.000000000 -0400
+++ mysql-5.5.23/sql/sql_prepare.cc 2012-04-27 22:19:09.196076848 -0400
@@ -2871,7 +2871,7 @@
{
stmt->state= Query_arena::STMT_ERROR;
stmt->last_errno= thd->stmt_da->sql_errno();
- strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
+ strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
}
thd->stmt_da= save_stmt_da;
thd->warning_info= save_warinig_info;
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
2012-04-28 03:51:49 +00:00
diff -Naur mysql-5.5.23.orig/sql/sql_trigger.cc mysql-5.5.23/sql/sql_trigger.cc
--- mysql-5.5.23.orig/sql/sql_trigger.cc 2012-03-29 15:07:12.000000000 -0400
+++ mysql-5.5.23/sql/sql_trigger.cc 2012-04-27 22:19:09.198076947 -0400
@@ -2260,7 +2260,7 @@
void Table_triggers_list::set_parse_error_message(char *error_message)
{
m_has_unparseable_trigger= true;
- strcpy(m_parse_error_message, error_message);
+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
}
2012-04-28 03:51:49 +00:00
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
2012-04-28 03:51:49 +00:00
diff -Naur mysql-5.5.23.orig/storage/innobase/handler/ha_innodb.cc mysql-5.5.23/storage/innobase/handler/ha_innodb.cc
--- mysql-5.5.23.orig/storage/innobase/handler/ha_innodb.cc 2012-03-29 15:07:11.000000000 -0400
+++ mysql-5.5.23/storage/innobase/handler/ha_innodb.cc 2012-04-27 22:19:09.201077088 -0400
@@ -7023,7 +7023,7 @@
ut_a(strlen(name) < sizeof(name2));
- strcpy(name2, name);
+ strncpy(name2, name, sizeof(name2)-1);
normalize_table_name(norm_name, name2);