From: Harin Vadodaria Date: December 11 2012 5:37am Subject: bzr push into mysql-trunk branch (harin.vadodaria:5199 to 5200) Bug#15884324 List-Archive: http://lists.mysql.com/commits/145470 X-Bug: 15884324 Message-Id: <20121211053735.16732.25655.5200@hvadodar-ThinkPad-T420> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 5200 Harin Vadodaria 2012-12-11 [merge] Bug#15884324: FIX ISSUES IDENTIFIED BY FORTIFY Description: Merge from 5.6 to trunk. modified: client/mysql_plugin.c cmd-line-utils/libedit/vi.c sql-common/client.c storage/innobase/row/row0merge.cc zlib/inflate.c 5199 Annamalai Gurusami 2012-12-11 [merge] Null merge from mysql-5.6 to mysql-5.7. === modified file 'client/mysql_plugin.c' --- a/client/mysql_plugin.c 2012-10-03 06:29:50 +0000 +++ b/client/mysql_plugin.c 2012-12-11 05:35:54 +0000 @@ -558,13 +558,18 @@ static int search_dir(const char * base_ const char *last_fn_libchar; #endif + if ((strlen(base_path) + strlen(subdir) + 1) > FN_REFLEN) + { + fprintf(stderr, "WARNING: Search path is too long\n"); + return 1; + } strcpy(source_path, base_path); strcat(source_path, subdir); fn_format(new_path, tool_name, source_path, "", MY_UNPACK_FILENAME); if (file_exists(new_path)) { strcpy(tool_path, new_path); - return 1; + return 0; } #if __WIN__ @@ -588,11 +593,11 @@ static int search_dir(const char * base_ if (file_exists(win_abs_path)) { strcpy(tool_path, win_abs_path); - return 1; + return 0; } } #endif - return 0; + return 1; } @@ -617,12 +622,12 @@ static int search_paths(const char *base }; for (i = 0 ; i < (int)array_elements(paths); i++) { - if (search_dir(base_path, tool_name, paths[i], tool_path)) + if (!search_dir(base_path, tool_name, paths[i], tool_path)) { - return 1; + return 0; } } - return 0; + return 1; } @@ -1006,7 +1011,7 @@ static int find_tool(const char *tool_na }; for (i= 0; i < (int)array_elements(paths); i++) { - if (paths[i] && (search_paths(paths[i], tool_name, tool_path))) + if (paths[i] && !(search_paths(paths[i], tool_name, tool_path))) goto found; } fprintf(stderr, "WARNING: Cannot find %s.\n", tool_name); === modified file 'cmd-line-utils/libedit/vi.c' --- a/cmd-line-utils/libedit/vi.c 2011-10-13 19:47:46 +0000 +++ b/cmd-line-utils/libedit/vi.c 2012-12-11 05:32:21 +0000 @@ -1028,7 +1028,8 @@ vi_histedit(EditLine *el, Int c __attrib close(fd); return CC_ERROR; } - line = el_malloc(len * sizeof(*line)); + /* XXXMYSQL: Make static analyzer happy */ + line = el_malloc((len+1) * sizeof(*line)); if (line == NULL) { el_free(cp); return CC_ERROR; === modified file 'sql-common/client.c' --- a/sql-common/client.c 2012-12-06 11:34:49 +0000 +++ b/sql-common/client.c 2012-12-11 05:35:54 +0000 @@ -4736,9 +4736,13 @@ static int old_password_auth_client(MYSQ pkt_len != SCRAMBLE_LENGTH + 1) DBUG_RETURN(CR_SERVER_HANDSHAKE_ERR); - /* save it in MYSQL */ - memcpy(mysql->scramble, pkt, pkt_len); - mysql->scramble[pkt_len] = 0; + /* + save it in MYSQL. + Copy data of length SCRAMBLE_LENGTH_323 or SCRAMBLE_LENGTH + to ensure that buffer overflow does not occur. + */ + memcpy(mysql->scramble, pkt, (pkt_len - 1)); + mysql->scramble[pkt_len-1] = 0; } if (mysql->passwd[0]) === modified file 'storage/innobase/row/row0merge.cc' --- a/storage/innobase/row/row0merge.cc 2012-12-07 09:52:03 +0000 +++ b/storage/innobase/row/row0merge.cc 2012-12-11 05:35:54 +0000 @@ -876,7 +876,7 @@ err_exit: case. */ avail_size = &block[srv_sort_buf_size] - b; - + ut_ad(avail_size < sizeof *buf); memcpy(*buf, b, avail_size); if (!row_merge_read(fd, ++(*foffs), block)) { === modified file 'zlib/inflate.c' --- a/zlib/inflate.c 2005-09-21 22:17:48 +0000 +++ b/zlib/inflate.c 2012-12-11 05:32:21 +0000 @@ -574,6 +574,11 @@ int flush; static const unsigned short order[19] = /* permutation of code lengths */ {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; + /* XXXMYSQL: To assert that put is never used uninitialized */ +#ifdef DEBUG + put = NULL; +#endif /* DEBUG */ + if (strm == Z_NULL || strm->state == Z_NULL || strm->next_out == Z_NULL || (strm->next_in == Z_NULL && strm->avail_in != 0)) return Z_STREAM_ERROR; @@ -823,6 +828,8 @@ int flush; if (copy > have) copy = have; if (copy > left) copy = left; if (copy == 0) goto inf_leave; + /* XXXMYSQL: Assert that put is not uninitialized */ + Assert ( put != NULL, "put is uninitialized" ); zmemcpy(put, next, copy); have -= copy; next += copy; @@ -1057,6 +1064,8 @@ int flush; if (copy > state->length) copy = state->length; } else { /* copy from output */ + /* XXXMYSQL: Assert that put is not uninitialized */ + Assert ( put != NULL, "put is uninitialized" ); from = put - state->offset; copy = state->length; } @@ -1080,9 +1089,12 @@ int flush; out -= left; strm->total_out += out; state->total += out; - if (out) + if (out) { + /* XXXMYSQL: Assert that put is not uninitialized */ + Assert ( put != NULL, "put is uninitialized" ); strm->adler = state->check = UPDATE(state->check, put - out, out); + } out = left; if (( #ifdef GUNZIP No bundle (reason: useless for push emails).