From: Marc Alff
Date: October 7 2010 9:17pm
Subject: bzr commit into mysql-next-mr-bugfixing branch (marc.alff:3321) Bug#57106
List-Archive: http://lists.mysql.com/commits/120308
X-Bug: 57106
Message-Id: <201010072117.o97EbqgY001978@rcsinet15.oracle.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7667707555048675708=="

--===============7667707555048675708==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#At file:///Users/malff/BZR_TREE/mysql-next-mr-bugfixing-57106/ based on revid:luis.soares@stripped

 3321 Marc Alff	2010-10-07
      Bug#57106 Robustness of memcpy calls in the performance schema
      
      Before this fix:
      - SELECT * from SETUP_ACTORS
      - SELECT * from THREADS
      could lead to crashes inside a memcpy,
      because the length of the memory to copy was not checked.
      
      This fix makes these tables more robust to invalid data,which can be produced with edge conditions when the record read is changing.

    modified:
      storage/perfschema/table_setup_actors.cc
      storage/perfschema/table_threads.cc
=== modified file 'storage/perfschema/table_setup_actors.cc'
--- a/storage/perfschema/table_setup_actors.cc	2010-07-02 16:15:37 +0000
+++ b/storage/perfschema/table_setup_actors.cc	2010-10-07 21:16:41 +0000
@@ -174,12 +174,23 @@ void table_setup_actors::make_row(PFS_se
 
   pfs->m_lock.begin_optimistic_lock(&lock);
 
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+  if (unlikely((m_row.m_hostname_length == 0) ||
+               (m_row.m_hostname_length > sizeof(m_row.m_hostname))))
+    return;
+  memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_rolename, pfs->m_rolename, pfs->m_rolename_length);
+  if (unlikely((m_row.m_username_length == 0) ||
+               (m_row.m_username_length > sizeof(m_row.m_username))))
+    return;
+  memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_rolename_length= pfs->m_rolename_length;
+  if (unlikely((m_row.m_rolename_length == 0) ||
+               (m_row.m_rolename_length > sizeof(m_row.m_rolename))))
+    return;
+  memcpy(m_row.m_rolename, pfs->m_rolename, m_row.m_rolename_length);
 
   if (pfs->m_lock.end_optimistic_lock(&lock))
     m_row_exists= true;

=== modified file 'storage/perfschema/table_threads.cc'
--- a/storage/perfschema/table_threads.cc	2010-07-21 19:06:21 +0000
+++ b/storage/perfschema/table_threads.cc	2010-10-07 21:16:41 +0000
@@ -187,12 +187,25 @@ void table_threads::make_row(PFS_thread 
   m_row.m_thread_id= pfs->m_thread_id;
   m_row.m_name= safe_class->m_name;
   m_row.m_name_length= safe_class->m_name_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
+  if (unlikely(m_row.m_username_length > sizeof(m_row.m_username)))
+    return;
+  if (m_row.m_username_length != 0)
+    memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_dbname, pfs->m_dbname, pfs->m_dbname_length);
+  if (unlikely(m_row.m_hostname_length > sizeof(m_row.m_hostname)))
+    return;
+  if (m_row.m_hostname_length != 0)
+    memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_dbname_length= pfs->m_dbname_length;
+  if (unlikely(m_row.m_dbname_length > sizeof(m_row.m_dbname)))
+    return;
+  if (m_row.m_dbname_length != 0)
+    memcpy(m_row.m_dbname, pfs->m_dbname, m_row.m_dbname_length);
+
   m_row.m_command= pfs->m_command;
   m_row.m_start_time= pfs->m_start_time;
   /* FIXME: need to copy it ? */


--===============7667707555048675708==
MIME-Version: 1.0
Content-Type: text/bzr-bundle; charset="us-ascii";
	name="bzr/marc.alff@stripped"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: marc.alff@stripped
# target_branch: file:///Users/malff/BZR_TREE/mysql-next-mr-bugfixing-\
#   57106/
# testament_sha1: ade0edaecf5d29b59013cc1be91becf294d818cd
# timestamp: 2010-10-07 15:17:03 -0600
# base_revision_id: luis.soares@stripped\
#   sswdterxxrqt6mvg
# 
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWYniBXQAAvpfgFAYeHf//35G
3gC////0YAZPmvQDQrl9sNAPQ3rMJJRTxT0Cepp5T000nqNAPUPSBmU0ZAzUAlEk9E1PwmKagNNA
ANAGgAAAc0ZMTABMRgRpgQYjBMmARg1G1JGhpoANDQAAAAGgAA2pIMqep5PU1PJPU9QepoAaAAAA
ACRQTQAQCMTQ1J+iamp6mgxlD1Bpp4pCnkERjGZZosMtCuj7Bq3ZpSfHgFvL+VxQPMDioqtVuVvP
E4tGjSraNVDpg5XCpdGe1JBABfqqv0Qfkcj+peNNg2H4C+nzDvyyHT9neP0b3UjFrW5qGFRdS+tw
izogSjvHoeFP2z5vbtHk2oaetnGZECxpXAp4i+2lF6zr8BmH7xJWCdrime8TgDt0LI5U0RhuKdVO
qP03ggL4m1rCgVqA7OqjS0RaBYTMmRiEkRJShKIslcmrYKCDWLuFMpEFh2LzMiMOiF56FZVuFy6m
3v7z9tJHutoogcrtsc0jAWsS+wkoLaZXTNDtZgUCLQNhEaTF4DSTZNJpsBgneOA0PL0kFBk2nCB0
KEoiLOFn46zVMKLoTrjSBAx9WC8IKeBYBSh5wQQGI+40iNtqNX/XxM/C0qsgF4VxNktiyQWWyMsK
9mqe6o+RMHUT/9ZfqksDSADC8+MFYmeTJtESBecD2LbjMe76kNWNz2zXIZVxSDEyIl6CVlcjhTka
QnX8deHFK0JUMhPRk+mYfMgXjoyixhcYnPiWI0sUKwMm0jGQOA7ylslNXLYbbyR4eFlL8kZ1kZmJ
sDkaZVuvBTVRJfpbqJFuZdWByNmyp4VvQw2ElDMhCG2NhXMCvpSoyjAuIWYYh41mBWuyI3YOF89h
SqIi+JwyIuW60i8cQpwzLlQwxu1yHUQMRy1GvJklBwWNrZjpFmMBxg05QeWi2rsNYVF7LlgKTH3D
sJvNLHn41kroGUb7LdHQJrKKnXEHR1KpFKn7xdRUqOtVLJHfZoDEDo0CyWDgu7KKYpTILfd+K6zM
yZ1uVw1G176NK0vkDlv3tvXNji2DNDghtrUggmnMKBbpC+bElFSBqCFfCMT4xmLyidgl7zsT95+d
qWPUgjgUB6VzCx84L+7+yhAlS6d9tv5KCiFR4vlWZofO/W7LTiPJsxGSllGWRKIVNUg8hRxF4YnH
UizfJ2l5j51hz1n3KzepOs6K2hrndBJWiWuslp3gRqVJw+WqETaV4da6sgmD+UkXdRci2Ve42GHi
rsAKlTxXE3/TYdVye7nvIcBBUAUwN5Aw7ZSPmuh6Fpt3r0hgXomIICzOGcfPXFYmyMaH08LOmrB2
94Hbl11Np/ZypREsEmsEis3RkrkYNdlNcQziEKIGEuO8sU0iNaJVIOPiB5nEZ6EkgwBRzCi+pxOY
cuhvAzekzszcKJH10KGHd1bQ5y0aQbgVGAzeJwCyAdJSUPhD1BNcwORtEa5GlqnC/D1tRhD2s2oN
ioLiKRI6Iy9e+X/Hy31YosnqOC7kdyz8s11LQNTInBdBc+CLAN/EK0VgWRDGwtEmHqLTqK8FBij+
uKRe+Ynud3uxOCyFgAfDsxMaBsOQZsBjBsBkCIwJqPlQ+R80yHSSqAxEgp9W2NlW45YypSpe7YfB
Rsm6qy4TVd6yxbSEgkEgkOBjCtiEgkIsLJbDag2GnCqU0gjvFgeRd7W2VibBh0uXTmsvzZaVigBN
JVofrCJH7CViIbrkRX4uLPQFplSwSWs8gK9iz4MYRUOZZAWFUKq7amloBiB5f6y3Zruz3K5IO++Y
KKy2JxEcxadZKwPwrDYKIKWrbULgODEjMQHswyWoaMixWuyUIyG+QJip+J6lUa2SIl8gwhByFRaJ
jHhCm4ntEgkWYgRlwmWiTayefxJrFeBSpO3sozWwmssJUr6ki5gkE5NcZ8b61PSIeMHNZraA6MKt
qDE/LpmsOXsLWsWLTUCrMPIaawRS0SWqC8gIfu/uTGavYf8jnDirhb1p5wHuTbFVFWsqMEsxlKmo
EQLegCg/+Sif4u5IpwoSETxAroA=


--===============7667707555048675708==--