[Commits] Rev 3167: MDEV-3849 - 1 bytes stack overwrite in normalize_dirname(). in file:///H:/bzr/5.1-serg/

Vladislav Vaintroub wlad at montyprogram.com
Sat Nov 10 21:38:01 EET 2012


At file:///H:/bzr/5.1-serg/

------------------------------------------------------------
revno: 3167
revision-id: wlad at montyprogram.com-20121110193618-qa3vv22u1yn5u26h
parent: sergii at pisem.net-20121109191523-sqyaxhfs2q041oj1
committer: Vladislav Vaintroub <wlad at montyprogram.com>
branch nick: 5.1-serg
timestamp: Sat 2012-11-10 20:36:18 +0100
message:
  MDEV-3849 - 1 bytes stack overwrite in normalize_dirname().
  
  Take into account that length of strings passed down to this function can be up to FN_REFLEN+1 bytes. including terminating zero.
  The overwrite was caused by incomplete fix to MySQL Bug # 44834
-------------- next part --------------
=== modified file 'mysys/mf_pack.c'
--- a/mysys/mf_pack.c	2011-11-21 17:13:14 +0000
+++ b/mysys/mf_pack.c	2012-11-10 19:36:18 +0000
@@ -35,7 +35,7 @@
   int cwd_err;
   size_t d_length,length,UNINIT_VAR(buff_length);
   char * start;
-  char buff[FN_REFLEN];
+  char buff[FN_REFLEN + 1];
   DBUG_ENTER("pack_dirname");
 
   (void) intern_filename(to,from);		/* Change to intern name */
@@ -132,7 +132,7 @@
   reg3 char * from_ptr;
   reg4 char * start;
   char parent[5],				/* for "FN_PARENTDIR" */
-       buff[FN_REFLEN+1],*end_parentdir;
+       buff[FN_REFLEN + 1],*end_parentdir;
 #ifdef BACKSLASH_MBTAIL
   CHARSET_INFO *fs= fs_character_set();
 #endif
@@ -245,7 +245,7 @@
 #ifdef USE_SYMDIR
 void symdirget(char *dir)
 {
-  char buff[FN_REFLEN+1];
+  char buff[FN_REFLEN + 1];
   char *pos=strend(dir);
   if (dir[0] && pos[-1] != FN_DEVCHAR && my_access(dir, F_OK))
   {
@@ -295,7 +295,7 @@
 size_t normalize_dirname(char *to, const char *from)
 {
   size_t length;
-  char buff[FN_REFLEN];
+  char buff[FN_REFLEN + 1];
   DBUG_ENTER("normalize_dirname");
 
   /*
@@ -423,7 +423,7 @@
 size_t unpack_filename(char * to, const char *from)
 {
   size_t length, n_length, buff_length;
-  char buff[FN_REFLEN];
+  char buff[FN_REFLEN + 1];
   DBUG_ENTER("unpack_filename");
 
   length=dirname_part(buff, from, &buff_length);/* copy & convert dirname */
@@ -459,7 +459,7 @@
   int libchar_found;
   size_t length;
   char * to_pos,from_pos,pos;
-  char buff[FN_REFLEN];
+  char buff[FN_REFLEN + 1];
   DBUG_ENTER("system_filename");
 
   libchar_found=0;
@@ -516,7 +516,7 @@
 char *intern_filename(char *to, const char *from)
 {
   size_t length, to_length;
-  char buff[FN_REFLEN];
+  char buff[FN_REFLEN + 1];
   if (from == to)
   {						/* Dirname may destroy from */
     strmov(buff,from);



More information about the commits mailing list