BUG#18779944: MYSQLDUMP BUFFER OVERFLOW

Mysqldump overflows stack buffer when copying table name from commandline arguments resulting in stack corruption and ability to execute arbitrary code.

Fix: Check length of all positional arguments passed to mysqldump is smaller than NAME_LEN.
Note: Mysqldump heavily depends on that database objects (databases, tablespaces, tables, etc) are limited to small size (now it is 64).

client/mysqldump.c

@@ -5538,7 +5538,23 @@ int main(int argc, char **argv)
       dump_all_tablespaces();
     dump_all_databases();
   }
-  else if (argc > 1 && !opt_databases)
+  else
+  {
+    // Check all arguments meet length condition. Currently database and table
+    // names are limited to NAME_LEN bytes and stack-based buffers assumes
+    // that escaped name will be not longer than NAME_LEN*2 + 2 bytes long.
+    int argument;
+    for (argument= 0; argument < argc; argument++)
+    {
+      size_t argument_length= strlen(argv[argument]);
+      if (argument_length > NAME_LEN)
+      {
+        die(EX_CONSCHECK, "[ERROR] Argument '%s' is too long, it cannot be "
+          "name for any table or database.\n", argv[argument]);
+      }
+    }
+
+    if (argc > 1 && !opt_databases)
     {
       /* Only one database and selected table(s) */
       if (!opt_alltspcs && !opt_notspcs)
@@ -5552,6 +5568,7 @@ int main(int argc, char **argv)
         dump_tablespaces_for_databases(argv);
       dump_databases(argv);
     }
+  }
 
   /* if --dump-slave , start the slave sql thread */
   if (opt_slave_data && do_start_slave_sql(mysql))