#At file:///home/thek/Development/cpp/mysqlbzr/mysql-5.1-bug38883/
2687 Kristofer Pettersson 2008-11-17
Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot
The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
message length becomes longer than requested and the initial buffer memory needs to be
reallocated.
This patch fixes the design error by copying parts of the reallocated buffer
to the destination buffer. This works because the destination buffer isn't
owned by the String object and thus isn't freed when a new buffer is allocated.
Any new memory allocated by the String object is reclaimed when the object
is destroyed at the end of the function call.
modified:
sql/sql_class.cc
=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc 2008-11-07 12:12:56 +0000
+++ b/sql/sql_class.cc 2008-11-17 10:20:38 +0000
@@ -385,7 +385,13 @@ char *thd_security_context(THD *thd, cha
}
if (str.c_ptr_safe() == buffer)
return buffer;
- return thd->strmake(str.ptr(), str.length());
+
+ /*
+ We have to copy the new string to the destination buffer because the string
+ was reallocated to a larger buffer to be able to fit.
+ */
+ memcpy(buffer,str.c_ptr_quick(),min(str.length(),length));
+ return buffer;
}
/**
| Thread |
|---|
| • bzr commit into mysql-5.1 branch (kristofer.pettersson:2687) Bug#40778 | Kristofer Pettersson | 17 Nov |
