1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

applying patch for BUG15912213

Browse Source
This commit is contained in:
unknown 2012-11-29 19:34:47 +01:00 committed by Akhil Mohan
parent 86c0a80b0d
commit 2cbf2e643b
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sql/sql_acl.cc
View File

@ -1356,10 +1356,19 @@ ulong acl_get(const char *host, const char *ip,
{
ulong host_access= ~(ulong)0, db_access= 0;
uint i;
size_t key_length;
size_t key_length, copy_length;
char key[ACL_KEY_LENGTH],*tmp_db,*end;
acl_entry *entry;
DBUG_ENTER("acl_get");
copy_length= (size_t) (strlen(ip ? ip : "") +
strlen(user ? user : "") +
strlen(db ? db : ""));
/*
Make sure that strmov() operations do not result in buffer overflow.
*/
if (copy_length >= ACL_KEY_LENGTH)
DBUG_RETURN(0);
VOID(pthread_mutex_lock(&acl_cache->lock));
end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
@ -4340,6 +4349,16 @@ bool check_grant_db(THD *thd,const char *db)
char helping [NAME_LEN+USERNAME_LENGTH+2];
uint len;
bool error= TRUE;
size_t copy_length;
copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") +
strlen(db ? db : ""));
/*
Make sure that strmov() operations do not result in buffer overflow.
*/
if (copy_length >= (NAME_LEN+USERNAME_LENGTH+2))
return 1;
len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;