• Developer Zone
• Lists Home
• FAQ

Below is the list of changes that have just been committed into a local
5.0 repository of ram. When ram does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-04-16 12:28:02+05:00, ramil@stripped +4 -0
  Fix for 
  bug #27715: mysqld --character-sets-dir buffer overflow
  bug ##26851: Mysql Client --pager Buffer Overflow
  
  Using strmov() to copy an argument may cause overflow 
  if the argument's length is bigger than the buffer:
  use strmake instead.
  Also, we have to encrease the error message buffer size to fit 
  the longest message.

  client/mysql.cc@stripped, 2007-04-16 12:28:00+05:00, ramil@stripped +2 -2
    Fix for 
    bug #27715: mysqld --character-sets-dir buffer overflow
    bug ##26851: Mysql Client --pager Buffer Overflow
      - use strmake() instead of strmov() to avoid buffer overflow.

  mysql-test/r/mysql.result@stripped, 2007-04-16 12:28:01+05:00, ramil@stripped +4 -0
    Fix for 
    bug #27715: mysqld --character-sets-dir buffer overflow
    bug ##26851: Mysql Client --pager Buffer Overflow
    
      - test result.

  mysql-test/t/mysql.test@stripped, 2007-04-16 12:28:01+05:00, ramil@stripped +6 -0
    Fix for 
    bug #27715: mysqld --character-sets-dir buffer overflow
    bug ##26851: Mysql Client --pager Buffer Overflow
    
      - test case.

  mysys/charset.c@stripped, 2007-04-16 12:28:01+05:00, ramil@stripped +4 -4
    Fix for 
    bug #27715: mysqld --character-sets-dir buffer overflow
    bug ##26851: Mysql Client --pager Buffer Overflow
    
      - encrease error message buffer size to fit the (possible) longest message.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	ramil
# Host:	ramil.myoffice.izhnet.ru
# Root:	/home/ram/work/b26851/b26851.5.0

--- 1.235/client/mysql.cc	2007-04-16 12:28:06 +05:00
+++ 1.236/client/mysql.cc	2007-04-16 12:28:06 +05:00
@@ -808,7 +808,7 @@ get_one_option(int optid, const struct m
     break;
 #endif
   case OPT_CHARSETS_DIR:
-    strmov(mysql_charsets_dir, argument);
+    strmake(mysql_charsets_dir, argument, sizeof(mysql_charsets_dir) - 1);
     charsets_dir = mysql_charsets_dir;
     break;
   case  OPT_DEFAULT_CHARSET:
@@ -861,7 +861,7 @@ get_one_option(int optid, const struct m
       if (argument && strlen(argument))
       {
 	default_pager_set= 1;
-	strmov(pager, argument);
+	strmake(pager, argument, sizeof(pager) - 1);
 	strmov(default_pager, pager);
       }
       else if (default_pager_set)

--- 1.149/mysys/charset.c	2007-04-16 12:28:06 +05:00
+++ 1.150/mysys/charset.c	2007-04-16 12:28:06 +05:00
@@ -388,7 +388,7 @@ my_bool STDCALL init_available_charsets(
 static my_bool init_available_charsets(myf myflags)
 #endif
 {
-  char fname[FN_REFLEN];
+  char fname[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
   my_bool error=FALSE;
   /*
     We have to use charset_initialized to not lock on THR_LOCK_charset
@@ -519,7 +519,7 @@ CHARSET_INFO *get_charset(uint cs_number
 
   if (!cs && (flags & MY_WME))
   {
-    char index_file[FN_REFLEN], cs_string[23];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)], cs_string[23];
     strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
     cs_string[0]='#';
     int10_to_str(cs_number, cs_string+1, 10);
@@ -539,7 +539,7 @@ CHARSET_INFO *get_charset_by_name(const 
 
   if (!cs && (flags & MY_WME))
   {
-    char index_file[FN_REFLEN];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
     strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
     my_error(EE_UNKNOWN_COLLATION, MYF(ME_BELL), cs_name, index_file);
   }
@@ -564,7 +564,7 @@ CHARSET_INFO *get_charset_by_csname(cons
 
   if (!cs && (flags & MY_WME))
   {
-    char index_file[FN_REFLEN];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
     strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
     my_error(EE_UNKNOWN_CHARSET, MYF(ME_BELL), cs_name, index_file);
   }

--- 1.27/mysql-test/r/mysql.result	2007-04-16 12:28:06 +05:00
+++ 1.28/mysql-test/r/mysql.result	2007-04-16 12:28:06 +05:00
@@ -174,4 +174,8 @@ ERROR 2005 (HY000) at line 1: Unknown My
 1
 ERROR at line 1: DELIMITER cannot contain a backslash character
 ERROR at line 1: DELIMITER cannot contain a backslash character
+1
+1
+1
+1
 End of 5.0 tests

--- 1.27/mysql-test/t/mysql.test	2007-04-16 12:28:06 +05:00
+++ 1.28/mysql-test/t/mysql.test	2007-04-16 12:28:06 +05:00
@@ -264,4 +264,10 @@ EOF
 --exec $MYSQL --version 2>&1 > /dev/null
 --enable_quary_log
 
+#
+# bug #26851: Mysql Client --pager Buffer Overflow
+#
+--exec $MYSQL
--pager="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-e "select 1" 2>&1
+--exec $MYSQL
--character-sets-dir="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-e "select 1" 2>&1
+
 --echo End of 5.0 tests