#At file:///home/lb200670/mysql/mysql-5.0-bugteam/ based on revid:joro@stripped
2866 lars-erik.bjork@stripped 2009-12-11
This is a patch for Bug#48500
5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.
errmsg.txt contains this:
ER_UPDATE_INFO
rum "Linii identificate (matched): %ld Schimbate: %ld Atentionari
(warnings): %ld"
When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
a buffer overflow can happen.
The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size,
instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings.
To avoid potential crashes, we will also use my_snprintf instead of
sprintf.
@ sql/sql_update.cc
Using MYSQL_ERRMSG_SIZE instead of STRING_BUFFER_USUAL_SIZE.
Using my_snprintf instead of sprintf.
modified:
sql/sql_update.cc
=== modified file 'sql/sql_update.cc'
--- a/sql/sql_update.cc 2009-08-28 15:51:31 +0000
+++ b/sql/sql_update.cc 2009-12-11 16:43:36 +0000
@@ -600,8 +600,8 @@ int mysql_update(THD *thd,
if (error < 0)
{
- char buff[STRING_BUFFER_USUAL_SIZE];
- sprintf(buff, ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
+ char buff[MYSQL_ERRMSG_SIZE];
+ my_snprintf(buff, sizeof(buff), ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
(ulong) thd->cuted_fields);
thd->row_count_func=
(thd->client_capabilities & CLIENT_FOUND_ROWS) ? found : updated;
Attachment: [text/bzr-bundle] bzr/lars-erik.bjork@sun.com-20091211164336-f7mtpzt6v218n3wu.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0-bugteam branch (lars-erik.bjork:2866) Bug#48500 | lars-erik.bjork | 11 Dec |
