Bug#14834378 ADDRESSSANITIZER BUG IN FILENAME_TO_TABLENAME

Backport to 5.5
2013-06-14 16:38:27 +02:00 · 2013-06-14 16:38:27 +02:00 · 82d9c8e8d9
commit 82d9c8e8d9
parent a040586cce
2 changed files with 5 additions and 2 deletions
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@ -378,7 +378,8 @@ uint filename_to_tablename(const char *from, char *to, uint to_length
  DBUG_ENTER("filename_to_tablename");
  DBUG_PRINT("enter", ("from '%s'", from));

-  if (!memcmp(from, tmp_file_prefix, tmp_file_prefix_length))
+  if (strlen(from) >= tmp_file_prefix_length &&
+      !memcmp(from, tmp_file_prefix, tmp_file_prefix_length))
  {
    /* Temporary table name. */
    res= (strnmov(to, from, to_length) - to);
--- a/strings/ctype-utf8.c
+++ b/strings/ctype-utf8.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

   This library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Library General Public
@ -4391,6 +4391,8 @@ my_mb_wc_filename(CHARSET_INFO *cs __attribute__((unused)),
    return MY_CS_TOOSMALL3;
  
  byte1= s[1];
+  if (byte1 == 0)
+    return MY_CS_ILSEQ; /* avoid possible out-of-bounds read */
  byte2= s[2];
  
  if (byte1 >= 0x30 && byte1 <= 0x7F &&