BUG#16402143 - STACK CORRUPTION IN DBUG_EXPLAIN

DESCRIPTION AND FIX: DBUG_EXPLAIN result in buffer overflow when the DEBUG variable values length exceed 255. In _db_explain_ function which call macro str_to_buf incorrectly passes the length of buf avaliable to strnmov as len+1. The fix calculates the avaliable space in buf and passes it to strnxmov.
2013-04-10 11:50:41 +05:30 · 2013-04-10 11:50:41 +05:30 · aea3d4b851
commit aea3d4b851
parent c60a9f740c
1 changed files with 1 additions and 1 deletions
--- a/dbug/dbug.c
+++ b/dbug/dbug.c
@ -919,7 +919,7 @@ void _db_pop_()
      } while (0)
 #define str_to_buf(S)    do {                   \
        char_to_buf(',');                       \
-        buf=strnmov(buf, (S), len+1);           \
+        buf=strnmov(buf, (S), end-buf);         \
        if (buf >= end) goto overflow;          \
      } while (0)
 #define list_to_buf(l, f)  do {                 \