Commit 1c72446e authored by unknown's avatar unknown

Bug#31752: check strmake() bounds

strmake() called with wrong parameters:
5.0-specific fixes.


client/mysql.cc:
  In debug-mode, strmake() fills unused part of buffer with
  a test-pattern. This overwrites our previous extra '\0'
  (from previous bzero()).
sql/sp.cc:
  off-by-one buffer-size.
parent fe280afa
...@@ -2987,7 +2987,10 @@ com_connect(String *buffer, char *line) ...@@ -2987,7 +2987,10 @@ com_connect(String *buffer, char *line)
Two null bytes are needed in the end of buff to allow Two null bytes are needed in the end of buff to allow
get_arg to find end of string the second time it's called. get_arg to find end of string the second time it's called.
*/ */
strmake(buff, line, sizeof(buff)-2); tmp= strmake(buff, line, sizeof(buff)-2);
#ifdef EXTRA_DEBUG
tmp[1]= 0;
#endif
tmp= get_arg(buff, 0); tmp= get_arg(buff, 0);
if (tmp && *tmp) if (tmp && *tmp)
{ {
......
...@@ -1902,7 +1902,7 @@ sp_use_new_db(THD *thd, LEX_STRING new_db, LEX_STRING *old_db, ...@@ -1902,7 +1902,7 @@ sp_use_new_db(THD *thd, LEX_STRING new_db, LEX_STRING *old_db,
if (thd->db) if (thd->db)
{ {
old_db->length= (strmake(old_db->str, thd->db, old_db->length) - old_db->length= (strmake(old_db->str, thd->db, old_db->length - 1) -
old_db->str); old_db->str);
} }
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment