From: ahristov
Date: March 12 2007 10:22am
Subject: PHP mysqlnd svn commit: r96 - trunk/ext/mysqli/mysqlnd
List-Archive: http://lists.mysql.com/commits/21705
Message-Id: <200703121022.l2CAMar3016508@bk-internal.mysql.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Author: ahristov
Date: 2007-03-12 11:22:35 +0100 (Mon, 12 Mar 2007)
New Revision: 96

Modified:
   trunk/ext/mysqli/mysqlnd/mysqlnd.c
Log:
Fix possible stack overrun


Modified: trunk/ext/mysqli/mysqlnd/mysqlnd.c
===================================================================
--- trunk/ext/mysqli/mysqlnd/mysqlnd.c	2007-03-12 09:58:08 UTC (rev 95)
+++ trunk/ext/mysqli/mysqlnd/mysqlnd.c	2007-03-12 10:22:35 UTC (rev 96)
@@ -27,7 +27,9 @@
 
 #define MYSQLND_SILENT
 
-
+/* the server doesn't support 4byte utf8, but let's make it forward compatible */
+#define MYSQLND_MAX_ALLOWED_USER_LEN	256  /* 64 char * 4byte */
+#define MYSQLND_MAX_ALLOWED_DB_LEN		256  /* 64 char * 4byte */
 /*
   TODO :
   - Don't bind so tightly the metadata with the result set. This means
@@ -2077,10 +2079,11 @@
 	  Stack space is not that expensive, so use a bit more to be protected against
 	  stack overrungs.
 	*/
-	int user_len;
+	size_t user_len;
 	enum_func_status ret;
 	php_mysql_packet_chg_user_resp chg_user_resp;
-	char buffer[768], *p = buffer;
+	size_t buf_len = MYSQLND_MAX_ALLOWED_USER_LEN + 1 + SCRAMBLE_LENGTH + MYSQLND_MAX_ALLOWED_DB_LEN + 1;
+	char buffer[buf_len], *p = buffer;
 
 	if (!user) {
 		user = "";
@@ -2094,7 +2097,7 @@
 
 	/* 1. user ASCIIZ */
 	user_len = strlen(user);
-	memcpy(p, user, user_len);
+	memcpy(p, user, MIN(user_len, MYSQLND_MAX_ALLOWED_DB_LEN));
 	p += user_len;
 	*p++ = '\0';
 
@@ -2109,8 +2112,8 @@
 
 	/* 3. db ASCIIZ */
 	if (db[0]) {
-		int db_len = strlen(db);
-		memcpy(p, db, db_len);
+		size_t db_len = strlen(db);
+		memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN));
 		p += db_len;
 	}
 	*p++ = '\0';