List:Commits« Previous MessageNext Message »
From:Harin Vadodaria Date:December 11 2012 5:38am
Subject:bzr push into mysql-5.6 branch (harin.vadodaria:4744 to 4745) Bug#15884324
View as plain text  
 4745 Harin Vadodaria	2012-12-11
      Bug#15884324: FIX ISSUES IDENTIFIED BY FORTIFY
      
      Description: This patch covers fix/assertion for buffer
                   overflow issues identified by fortify.

    modified:
      client/mysql_plugin.c
      cmd-line-utils/libedit/vi.c
      sql-common/client.c
      storage/innobase/row/row0merge.cc
      zlib/inflate.c
 4744 Annamalai Gurusami	2012-12-11 [merge]
      Null merge from mysql-5.5 to mysql-5.6. 

=== modified file 'client/mysql_plugin.c'
--- a/client/mysql_plugin.c	2012-10-03 06:13:53 +0000
+++ b/client/mysql_plugin.c	2012-12-11 05:32:21 +0000
@@ -558,13 +558,18 @@ static int search_dir(const char * base_
   const char *last_fn_libchar;
 #endif
 
+  if ((strlen(base_path) + strlen(subdir) + 1) > FN_REFLEN)
+  {
+    fprintf(stderr, "WARNING: Search path is too long\n");
+    return 1;
+  }
   strcpy(source_path, base_path);
   strcat(source_path, subdir);
   fn_format(new_path, tool_name, source_path, "", MY_UNPACK_FILENAME);
   if (file_exists(new_path))
   {
     strcpy(tool_path, new_path);
-    return 1;
+    return 0;
   }  
 
 #if __WIN__
@@ -588,11 +593,11 @@ static int search_dir(const char * base_
     if (file_exists(win_abs_path))
     {
       strcpy(tool_path, win_abs_path);
-      return 1;
+      return 0;
     }
   }
 #endif
-  return 0;
+  return 1;
 }
 
 
@@ -617,12 +622,12 @@ static int search_paths(const char *base
   };
   for (i = 0 ; i < (int)array_elements(paths); i++)
   {
-    if (search_dir(base_path, tool_name, paths[i], tool_path))
+    if (!search_dir(base_path, tool_name, paths[i], tool_path))
     {
-      return 1;
+      return 0;
     }
   }
-  return 0;
+  return 1;
 }
 
 
@@ -1006,7 +1011,7 @@ static int find_tool(const char *tool_na
   };
   for (i= 0; i < (int)array_elements(paths); i++)
   {
-    if (paths[i] && (search_paths(paths[i], tool_name, tool_path)))
+    if (paths[i] && !(search_paths(paths[i], tool_name, tool_path)))
       goto found;
   }
   fprintf(stderr, "WARNING: Cannot find %s.\n", tool_name);

=== modified file 'cmd-line-utils/libedit/vi.c'
--- a/cmd-line-utils/libedit/vi.c	2011-10-13 19:47:46 +0000
+++ b/cmd-line-utils/libedit/vi.c	2012-12-11 05:32:21 +0000
@@ -1028,7 +1028,8 @@ vi_histedit(EditLine *el, Int c __attrib
 		close(fd);
 		return CC_ERROR;
 	}
-	line = el_malloc(len * sizeof(*line));
+	/* XXXMYSQL: Make static analyzer happy */
+	line = el_malloc((len+1) * sizeof(*line));
 	if (line == NULL) {
 		el_free(cp);
 		return CC_ERROR;

=== modified file 'sql-common/client.c'
--- a/sql-common/client.c	2012-11-20 13:07:29 +0000
+++ b/sql-common/client.c	2012-12-11 05:32:21 +0000
@@ -4731,9 +4731,13 @@ static int old_password_auth_client(MYSQ
         pkt_len != SCRAMBLE_LENGTH + 1)
         DBUG_RETURN(CR_SERVER_HANDSHAKE_ERR);
 
-    /* save it in MYSQL */
-    memcpy(mysql->scramble, pkt, pkt_len);
-    mysql->scramble[pkt_len] = 0;
+    /*
+      save it in MYSQL.
+      Copy data of length SCRAMBLE_LENGTH_323 or SCRAMBLE_LENGTH
+      to ensure that buffer overflow does not occur.
+    */
+    memcpy(mysql->scramble, pkt, (pkt_len - 1));
+    mysql->scramble[pkt_len-1] = 0;
   }
 
   if (mysql->passwd[0])

=== modified file 'storage/innobase/row/row0merge.cc'
--- a/storage/innobase/row/row0merge.cc	2012-12-07 09:47:32 +0000
+++ b/storage/innobase/row/row0merge.cc	2012-12-11 05:32:21 +0000
@@ -876,7 +876,7 @@ err_exit:
 		case. */
 
 		avail_size = &block[srv_sort_buf_size] - b;
-
+		ut_ad(avail_size < sizeof *buf);
 		memcpy(*buf, b, avail_size);
 
 		if (!row_merge_read(fd, ++(*foffs), block)) {

=== modified file 'zlib/inflate.c'
--- a/zlib/inflate.c	2005-09-21 22:17:48 +0000
+++ b/zlib/inflate.c	2012-12-11 05:32:21 +0000
@@ -574,6 +574,11 @@ int flush;
     static const unsigned short order[19] = /* permutation of code lengths */
         {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
 
+    /* XXXMYSQL: To assert that put is never used uninitialized */
+#ifdef DEBUG
+    put = NULL;
+#endif /* DEBUG */
+
     if (strm == Z_NULL || strm->state == Z_NULL || strm->next_out == Z_NULL ||
         (strm->next_in == Z_NULL && strm->avail_in != 0))
         return Z_STREAM_ERROR;
@@ -823,6 +828,8 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy > left) copy = left;
                 if (copy == 0) goto inf_leave;
+                /* XXXMYSQL: Assert that put is not uninitialized */
+                Assert ( put != NULL, "put is uninitialized" );
                 zmemcpy(put, next, copy);
                 have -= copy;
                 next += copy;
@@ -1057,6 +1064,8 @@ int flush;
                 if (copy > state->length) copy = state->length;
             }
             else {                              /* copy from output */
+                /* XXXMYSQL: Assert that put is not uninitialized */
+                Assert ( put != NULL, "put is uninitialized" );
                 from = put - state->offset;
                 copy = state->length;
             }
@@ -1080,9 +1089,12 @@ int flush;
                 out -= left;
                 strm->total_out += out;
                 state->total += out;
-                if (out)
+                if (out) {
+                    /* XXXMYSQL: Assert that put is not uninitialized */
+                    Assert ( put != NULL, "put is uninitialized" );
                     strm->adler = state->check =
                         UPDATE(state->check, put - out, out);
+                }
                 out = left;
                 if ((
 #ifdef GUNZIP

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-5.6 branch (harin.vadodaria:4744 to 4745) Bug#15884324Harin Vadodaria11 Dec