1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

This is a patch for Bug#48500

Browse Source 
5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
      
5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.
      
errmsg.txt contains this:
      
ER_UPDATE_INFO
rum "Linii identificate (matched): %ld  Schimbate: %ld  Atentionari 
(warnings): %ld"
When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
a buffer overflow can happen.
      
The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size, 
instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings. 
To avoid potential crashes, we will also use my_snprintf instead of
sprintf.
This commit is contained in:
lars-erik.bjork@sun.com 2009-12-14 00:58:16 +01:00
parent 98f738b198
commit 44e2c65a2d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sql/sql_update.cc
View File

@ -600,8 +600,8 @@ int mysql_update(THD *thd,
if (error < 0) if (error < 0)
{ {
char buff[STRING_BUFFER_USUAL_SIZE]; char buff[MYSQL_ERRMSG_SIZE];
sprintf(buff, ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated, my_snprintf(buff, sizeof(buff), ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
(ulong) thd->cuted_fields); (ulong) thd->cuted_fields);
thd->row_count_func= thd->row_count_func=
(thd->client_capabilities & CLIENT_FOUND_ROWS) ? found : updated; (thd->client_capabilities & CLIENT_FOUND_ROWS) ? found : updated;