summaryrefslogtreecommitdiffstats
path: root/mysql-string-overflow.patch
blob: eaa11e85441286a4eb203ec11f0ceb2f62b20779 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
These issues were found by Coverity static analysis tool, for more info 
see messages by particular fixes (messages belong to 5.1.61).

Filed upstream at http://bugs.mysql.com/bug.php?id=64631


Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.

diff -Naur mysql-5.5.23.orig/sql/sql_prepare.cc mysql-5.5.23/sql/sql_prepare.cc
--- mysql-5.5.23.orig/sql/sql_prepare.cc	2012-03-29 15:07:12.000000000 -0400
+++ mysql-5.5.23/sql/sql_prepare.cc	2012-04-27 22:19:09.196076848 -0400
@@ -2871,7 +2871,7 @@
   {
     stmt->state= Query_arena::STMT_ERROR;
     stmt->last_errno= thd->stmt_da->sql_errno();
-    strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
+    strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
   }
   thd->stmt_da= save_stmt_da;
   thd->warning_info= save_warinig_info;


Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.

diff -Naur mysql-5.5.23.orig/sql/sql_trigger.cc mysql-5.5.23/sql/sql_trigger.cc
--- mysql-5.5.23.orig/sql/sql_trigger.cc	2012-03-29 15:07:12.000000000 -0400
+++ mysql-5.5.23/sql/sql_trigger.cc	2012-04-27 22:19:09.198076947 -0400
@@ -2260,7 +2260,7 @@
 void Table_triggers_list::set_parse_error_message(char *error_message)
 {
   m_has_unparseable_trigger= true;
-  strcpy(m_parse_error_message, error_message);
+  strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
 }
 
 


Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.

diff -Naur mysql-5.5.23.orig/storage/innobase/handler/ha_innodb.cc mysql-5.5.23/storage/innobase/handler/ha_innodb.cc
--- mysql-5.5.23.orig/storage/innobase/handler/ha_innodb.cc	2012-03-29 15:07:11.000000000 -0400
+++ mysql-5.5.23/storage/innobase/handler/ha_innodb.cc	2012-04-27 22:19:09.201077088 -0400
@@ -7023,7 +7023,7 @@
 
 	ut_a(strlen(name) < sizeof(name2));
 
-	strcpy(name2, name);
+	strncpy(name2, name, sizeof(name2)-1);
 
 	normalize_table_name(norm_name, name2);