summaryrefslogtreecommitdiffstats
path: root/mysql-string-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'mysql-string-overflow.patch')
-rw-r--r--mysql-string-overflow.patch52
1 files changed, 52 insertions, 0 deletions
diff --git a/mysql-string-overflow.patch b/mysql-string-overflow.patch
new file mode 100644
index 0000000..80cf5bc
--- /dev/null
+++ b/mysql-string-overflow.patch
@@ -0,0 +1,52 @@
+These issues were found by Coverity static analysis tool, for more info
+see messages by particular fixes (messages belong to 5.1.61).
+
+Error: BUFFER_SIZE_WARNING:
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
+
+diff -up mysql-5.5.21/sql/sql_prepare.cc.coverity mysql-5.5.21/sql/sql_prepare.cc
+--- mysql-5.5.21/sql/sql_prepare.cc.coverity 2012-03-13 17:24:40.493658626 +0100
++++ mysql-5.5.21/sql/sql_prepare.cc 2012-03-13 17:25:14.574338307 +0100
+@@ -2863,7 +2863,7 @@ void mysql_stmt_get_longdata(THD *thd, c
+ {
+ stmt->state= Query_arena::STMT_ERROR;
+ stmt->last_errno= thd->stmt_da->sql_errno();
+- strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
++ strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
+ }
+ thd->stmt_da= save_stmt_da;
+ thd->warning_info= save_warinig_info;
+
+
+Error: STRING_OVERFLOW:
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
+
+diff -up mysql-5.5.21/sql/sql_trigger.cc.coverity mysql-5.5.21/sql/sql_trigger.cc
+--- mysql-5.5.21/sql/sql_trigger.cc.coverity 2012-03-13 17:25:50.781985493 +0100
++++ mysql-5.5.21/sql/sql_trigger.cc 2012-03-13 17:27:04.589225626 +0100
+@@ -2260,7 +2260,7 @@ void Table_triggers_list::mark_fields_us
+ void Table_triggers_list::set_parse_error_message(char *error_message)
+ {
+ m_has_unparseable_trigger= true;
+- strcpy(m_parse_error_message, error_message);
++ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
+ }
+
+
+Error: STRING_OVERFLOW:
+/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
+/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
+
+diff -up mysql-5.5.21/storage/innobase/handler/ha_innodb.cc.coverity mysql-5.5.21/storage/innobase/handler/ha_innodb.cc
+--- mysql-5.5.21/storage/innobase/handler/ha_innodb.cc.coverity 2012-03-13 17:28:52.982738150 +0100
++++ mysql-5.5.21/storage/innobase/handler/ha_innodb.cc 2012-03-13 17:29:14.952427553 +0100
+@@ -6926,7 +6926,7 @@ ha_innobase::create(
+ DBUG_RETURN(HA_ERR_TO_BIG_ROW);
+ }
+
+- strcpy(name2, name);
++ strncpy(name2, name, sizeof(name2)-1);
+
+ normalize_table_name(norm_name, name2);
+