4745 Harin Vadodaria 2012-12-11
Bug#15884324: FIX ISSUES IDENTIFIED BY FORTIFY
Description: This patch covers fix/assertion for buffer
overflow issues identified by fortify.
modified:
client/mysql_plugin.c
cmd-line-utils/libedit/vi.c
sql-common/client.c
storage/innobase/row/row0merge.cc
zlib/inflate.c
4744 Annamalai Gurusami 2012-12-11 [merge]
Null merge from mysql-5.5 to mysql-5.6.
=== modified file 'client/mysql_plugin.c'
--- a/client/mysql_plugin.c 2012-10-03 06:13:53 +0000
+++ b/client/mysql_plugin.c 2012-12-11 05:32:21 +0000
@@ -558,13 +558,18 @@ static int search_dir(const char * base_
const char *last_fn_libchar;
#endif
+ if ((strlen(base_path) + strlen(subdir) + 1) > FN_REFLEN)
+ {
+ fprintf(stderr, "WARNING: Search path is too long\n");
+ return 1;
+ }
strcpy(source_path, base_path);
strcat(source_path, subdir);
fn_format(new_path, tool_name, source_path, "", MY_UNPACK_FILENAME);
if (file_exists(new_path))
{
strcpy(tool_path, new_path);
- return 1;
+ return 0;
}
#if __WIN__
@@ -588,11 +593,11 @@ static int search_dir(const char * base_
if (file_exists(win_abs_path))
{
strcpy(tool_path, win_abs_path);
- return 1;
+ return 0;
}
}
#endif
- return 0;
+ return 1;
}
@@ -617,12 +622,12 @@ static int search_paths(const char *base
};
for (i = 0 ; i < (int)array_elements(paths); i++)
{
- if (search_dir(base_path, tool_name, paths[i], tool_path))
+ if (!search_dir(base_path, tool_name, paths[i], tool_path))
{
- return 1;
+ return 0;
}
}
- return 0;
+ return 1;
}
@@ -1006,7 +1011,7 @@ static int find_tool(const char *tool_na
};
for (i= 0; i < (int)array_elements(paths); i++)
{
- if (paths[i] && (search_paths(paths[i], tool_name, tool_path)))
+ if (paths[i] && !(search_paths(paths[i], tool_name, tool_path)))
goto found;
}
fprintf(stderr, "WARNING: Cannot find %s.\n", tool_name);
=== modified file 'cmd-line-utils/libedit/vi.c'
--- a/cmd-line-utils/libedit/vi.c 2011-10-13 19:47:46 +0000
+++ b/cmd-line-utils/libedit/vi.c 2012-12-11 05:32:21 +0000
@@ -1028,7 +1028,8 @@ vi_histedit(EditLine *el, Int c __attrib
close(fd);
return CC_ERROR;
}
- line = el_malloc(len * sizeof(*line));
+ /* XXXMYSQL: Make static analyzer happy */
+ line = el_malloc((len+1) * sizeof(*line));
if (line == NULL) {
el_free(cp);
return CC_ERROR;
=== modified file 'sql-common/client.c'
--- a/sql-common/client.c 2012-11-20 13:07:29 +0000
+++ b/sql-common/client.c 2012-12-11 05:32:21 +0000
@@ -4731,9 +4731,13 @@ static int old_password_auth_client(MYSQ
pkt_len != SCRAMBLE_LENGTH + 1)
DBUG_RETURN(CR_SERVER_HANDSHAKE_ERR);
- /* save it in MYSQL */
- memcpy(mysql->scramble, pkt, pkt_len);
- mysql->scramble[pkt_len] = 0;
+ /*
+ save it in MYSQL.
+ Copy data of length SCRAMBLE_LENGTH_323 or SCRAMBLE_LENGTH
+ to ensure that buffer overflow does not occur.
+ */
+ memcpy(mysql->scramble, pkt, (pkt_len - 1));
+ mysql->scramble[pkt_len-1] = 0;
}
if (mysql->passwd[0])
=== modified file 'storage/innobase/row/row0merge.cc'
--- a/storage/innobase/row/row0merge.cc 2012-12-07 09:47:32 +0000
+++ b/storage/innobase/row/row0merge.cc 2012-12-11 05:32:21 +0000
@@ -876,7 +876,7 @@ err_exit:
case. */
avail_size = &block[srv_sort_buf_size] - b;
-
+ ut_ad(avail_size < sizeof *buf);
memcpy(*buf, b, avail_size);
if (!row_merge_read(fd, ++(*foffs), block)) {
=== modified file 'zlib/inflate.c'
--- a/zlib/inflate.c 2005-09-21 22:17:48 +0000
+++ b/zlib/inflate.c 2012-12-11 05:32:21 +0000
@@ -574,6 +574,11 @@ int flush;
static const unsigned short order[19] = /* permutation of code lengths */
{16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
+ /* XXXMYSQL: To assert that put is never used uninitialized */
+#ifdef DEBUG
+ put = NULL;
+#endif /* DEBUG */
+
if (strm == Z_NULL || strm->state == Z_NULL || strm->next_out == Z_NULL ||
(strm->next_in == Z_NULL && strm->avail_in != 0))
return Z_STREAM_ERROR;
@@ -823,6 +828,8 @@ int flush;
if (copy > have) copy = have;
if (copy > left) copy = left;
if (copy == 0) goto inf_leave;
+ /* XXXMYSQL: Assert that put is not uninitialized */
+ Assert ( put != NULL, "put is uninitialized" );
zmemcpy(put, next, copy);
have -= copy;
next += copy;
@@ -1057,6 +1064,8 @@ int flush;
if (copy > state->length) copy = state->length;
}
else { /* copy from output */
+ /* XXXMYSQL: Assert that put is not uninitialized */
+ Assert ( put != NULL, "put is uninitialized" );
from = put - state->offset;
copy = state->length;
}
@@ -1080,9 +1089,12 @@ int flush;
out -= left;
strm->total_out += out;
state->total += out;
- if (out)
+ if (out) {
+ /* XXXMYSQL: Assert that put is not uninitialized */
+ Assert ( put != NULL, "put is uninitialized" );
strm->adler = state->check =
UPDATE(state->check, put - out, out);
+ }
out = left;
if ((
#ifdef GUNZIP
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-5.6 branch (harin.vadodaria:4744 to 4745) Bug#15884324 | Harin Vadodaria | 11 Dec |
