From 44e2c65a2d2e8299e8c5b58d5538a6af5a375e38 Mon Sep 17 00:00:00 2001
From: "lars-erik.bjork@sun.com" <>
Date: Mon, 14 Dec 2009 00:58:16 +0100
Subject: [PATCH] This is a patch for Bug#48500 5.0 buffer overflow for
 ER_UPDATE_INFO, or truncated info message in 5.1

5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.

errmsg.txt contains this:

ER_UPDATE_INFO
rum "Linii identificate (matched): %ld  Schimbate: %ld  Atentionari
(warnings): %ld"
When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
a buffer overflow can happen.

The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size,
instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings.
To avoid potential crashes, we will also use my_snprintf instead of
sprintf.
---
 sql/sql_update.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sql/sql_update.cc b/sql/sql_update.cc
index 06d1bcaa8fb..35ae0febcec 100644
--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@@ -600,8 +600,8 @@ int mysql_update(THD *thd,
 
   if (error < 0)
   {
-    char buff[STRING_BUFFER_USUAL_SIZE];
-    sprintf(buff, ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
+    char buff[MYSQL_ERRMSG_SIZE];
+    my_snprintf(buff, sizeof(buff), ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
 	    (ulong) thd->cuted_fields);
     thd->row_count_func=
       (thd->client_capabilities & CLIENT_FOUND_ROWS) ? found : updated;