mysql8.4/community-mysql-string-overflow.patch
Tom Lane c80ae3ea7b mysql is being replaced by mariadb and/or MySQL.
this commit is squash of:
  last commit(s) of 'mysql' repo 'rawhide' branch
and
  first commit(s) of 'community-mysql' repo 'rawhide' branch
2024-02-05 16:59:12 +01:00

58 lines
2.9 KiB
Diff

These issues were found by Coverity static analysis tool, for more info
see messages by particular fixes (messages belong to 5.1.61).
Filed upstream at http://bugs.mysql.com/bug.php?id=64631
Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
diff -up mysql-5.5.28/sql/sql_prepare.cc.p20 mysql-5.5.28/sql/sql_prepare.cc
--- mysql-5.5.28/sql/sql_prepare.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/sql/sql_prepare.cc 2012-12-06 14:27:28.647087401 +0100
@@ -2879,7 +2879,7 @@ void mysql_stmt_get_longdata(THD *thd, c
{
stmt->state= Query_arena::STMT_ERROR;
stmt->last_errno= thd->stmt_da->sql_errno();
- strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
+ strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
}
thd->stmt_da= save_stmt_da;
thd->warning_info= save_warinig_info;
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.28/sql/sql_trigger.cc.p20 mysql-5.5.28/sql/sql_trigger.cc
--- mysql-5.5.28/sql/sql_trigger.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/sql/sql_trigger.cc 2012-12-06 14:27:28.648087398 +0100
@@ -2260,7 +2260,7 @@ void Table_triggers_list::mark_fields_us
void Table_triggers_list::set_parse_error_message(char *error_message)
{
m_has_unparseable_trigger= true;
- strcpy(m_parse_error_message, error_message);
+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
}
Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
diff -up mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 mysql-5.5.28/storage/innobase/handler/ha_innodb.cc
--- mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/storage/innobase/handler/ha_innodb.cc 2012-12-06 14:27:28.653087416 +0100
@@ -7054,7 +7054,7 @@ ha_innobase::create(
ut_a(strlen(name) < sizeof(name2));
- strcpy(name2, name);
+ strncpy(name2, name, sizeof(name2)-1);
normalize_table_name(norm_name, name2);