From 2e1428c0b552f2c80aa4b27edaaab8bde8966b22 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Mon, 15 May 2017 13:33:59 +0200
Subject: [PATCH] MDEV-12799 Buffer overflow

with a specially corrupted master.info one can
get an invalid heartbeat_period that will
trigger a heap overflow.
---
 sql/rpl_mi.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sql/rpl_mi.cc b/sql/rpl_mi.cc
index 3c5a99121fa..13284308f04 100644
--- a/sql/rpl_mi.cc
+++ b/sql/rpl_mi.cc
@@ -401,7 +401,7 @@ file '%s')", fname);
     mi->connect_retry= (uint) connect_retry;
     mi->ssl= (my_bool) ssl;
     mi->ssl_verify_server_cert= ssl_verify_server_cert;
-    mi->heartbeat_period= master_heartbeat_period;
+    mi->heartbeat_period= min(SLAVE_MAX_HEARTBEAT_PERIOD, master_heartbeat_period);
   }
   DBUG_PRINT("master_info",("log_file_name: %s  position: %ld",
                             mi->master_log_name,
@@ -518,8 +518,8 @@ int flush_master_info(Master_info* mi,
      contents of file). But because of number of lines in the first line
      of file we don't care about this garbage.
   */
-  char heartbeat_buf[sizeof(mi->heartbeat_period) * 4]; // buffer to suffice always
-  sprintf(heartbeat_buf, "%.3f", mi->heartbeat_period);
+  char heartbeat_buf[FLOATING_POINT_BUFFER];
+  my_fcvt(mi->heartbeat_period, 3, heartbeat_buf, NULL);
   my_b_seek(file, 0L);
   my_b_printf(file,
               "%u\n%s\n%s\n%s\n%s\n%s\n%d\n%d\n%d\n%s\n%s\n%s\n%s\n%s\n%d\n%s\n%s\n%s\n",