MySQL Lists: commits: bk commit into 5.0 tree (tnurnberg:1.2536) BUG#31588

List:	Commits	« Previous Message Next Message »
From:	Tatjana A Nuernberg	Date:	October 17 2007 1:29pm
Subject:	bk commit into 5.0 tree (tnurnberg:1.2536) BUG#31588
View as plain text
Below is the list of changes that have just been committed into a local
5.0 repository of tnurnberg. When tnurnberg does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-10-17 13:29:18+02:00, tnurnberg@stripped +3 -0
  Bug#31588: buffer overrun when setting variables
  
  Buffer used when setting variables was not dimensioned to accomodate
  trailing '\0'. An overflow by one character was therefore possible.
  CS corrects limits to prevent such overflows. The actual error message
  using this buffered value only prints the first 64 characters of it
  anyway, so this causes no change visible to the user at this point.

  mysql-test/r/variables.result@stripped, 2007-10-17 13:29:14+02:00,
tnurnberg@stripped +2 -0
    Try to overflow buffer used for setting system variables.
    Unpatched server should throw a valgrind warning here.
    Actual value and error message irrelevant, only length counts.

  mysql-test/t/variables.test@stripped, 2007-10-17 13:29:14+02:00,
tnurnberg@stripped +7 -0
    Try to overflow buffer used for setting system variables.

  sql/set_var.cc@stripped, 2007-10-17 13:29:14+02:00, tnurnberg@stripped +1 -1
    Adjust maximum number of characters we can store in 'buff' by one
    as strmake() will write a terminating '\0'.

diff -Nrup a/mysql-test/r/variables.result b/mysql-test/r/variables.result
--- a/mysql-test/r/variables.result	2007-10-04 10:33:56 +02:00
+++ b/mysql-test/r/variables.result	2007-10-17 13:29:14 +02:00
@@ -793,6 +793,8 @@ ERROR HY000: Variable 'hostname' is a re
 show variables like 'hostname';
 Variable_name	Value
 hostname	#
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 End of 5.0 tests
 set global binlog_cache_size         =@my_binlog_cache_size;
 set global connect_timeout           =@my_connect_timeout;
diff -Nrup a/mysql-test/t/variables.test b/mysql-test/t/variables.test
--- a/mysql-test/t/variables.test	2007-10-04 10:33:56 +02:00
+++ b/mysql-test/t/variables.test	2007-10-17 13:29:14 +02:00
@@ -675,6 +675,13 @@ set @@hostname= "anothername";
 --replace_column 2 #
 show variables like 'hostname';
 
+#
+# Bug#31588 buffer overrun when setting variables
+#
+# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
+--error 1231
+set global sql_mode=repeat('a',80);
+
 --echo End of 5.0 tests
 
 # This is at the very after the versioned tests, since it involves doing
diff -Nrup a/sql/set_var.cc b/sql/set_var.cc
--- a/sql/set_var.cc	2007-10-04 21:58:36 +02:00
+++ b/sql/set_var.cc	2007-10-17 13:29:14 +02:00
@@ -1765,7 +1765,7 @@ bool sys_var::check_set(THD *thd, set_va
 					    &not_used));
     if (error_len)
     {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
       goto err;
     }
   }
Thread
• bk commit into 5.0 tree (tnurnberg:1.2536) BUG#31588	Tatjana A Nuernberg	17 Oct