1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-22824 Buffer overflow in dict_table_t::parse_name()

Browse Source 
dict_table_t::parse_name(): Strip any partition or subpartition
name before copying the name to the decoding buffer.
This commit is contained in:
Marko Mäkelä 2020-06-07 18:54:34 +03:00
parent 0e69f601aa
commit 3be169093b
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
storage/innobase/dict/dict0dict.cc
View File

@ -747,21 +747,28 @@ bool dict_table_t::parse_name(char (&db_name)[NAME_LEN + 1],
memcpy(db_buf, name.m_name, db_len); memcpy(db_buf, name.m_name, db_len);
db_buf[db_len]= 0; db_buf[db_len]= 0;
size_t tbl_len= strlen(name.m_name + db_len); size_t tbl_len= strlen(name.m_name + db_len + 1);
const bool is_temp= tbl_len > TEMP_FILE_PREFIX_LENGTH &&
!strncmp(name.m_name, TEMP_FILE_PREFIX, TEMP_FILE_PREFIX_LENGTH);
if (is_temp);
else if (const char *is_part= static_cast<const char*>
(memchr(name.m_name + db_len + 1, '#', tbl_len)))
tbl_len= static_cast<size_t>(is_part - &name.m_name[db_len + 1]);
memcpy(tbl_buf, name.m_name + db_len + 1, tbl_len); memcpy(tbl_buf, name.m_name + db_len + 1, tbl_len);
tbl_buf[tbl_len]= 0;
if (!dict_locked) if (!dict_locked)
mutex_exit(&dict_sys.mutex); mutex_exit(&dict_sys.mutex);
*db_name_len= filename_to_tablename(db_buf, db_name, *db_name_len= filename_to_tablename(db_buf, db_name,
MAX_DATABASE_NAME_LEN + 1, true); MAX_DATABASE_NAME_LEN + 1, true);
if (tbl_len > TEMP_FILE_PREFIX_LENGTH if (is_temp)
&& !strncmp(tbl_buf, TEMP_FILE_PREFIX, TEMP_FILE_PREFIX_LENGTH))
return false; return false;
if (char* is_part= strchr(tbl_buf, '#'))
*is_part= '\0';
*tbl_name_len= filename_to_tablename(tbl_buf, tbl_name, *tbl_name_len= filename_to_tablename(tbl_buf, tbl_name,
MAX_TABLE_NAME_LEN + 1, true); MAX_TABLE_NAME_LEN + 1, true);
return true; return true;