Commit d7acab15 authored by serg@serg.mylan's avatar serg@serg.mylan

sql/password.c: check for buffer overflow in check_scramble_323 (BUG#7187)

parent 68174d7a
...@@ -211,12 +211,13 @@ check_scramble_323(const char *scrambled, const char *message, ...@@ -211,12 +211,13 @@ check_scramble_323(const char *scrambled, const char *message,
ulong hash_message[2]; ulong hash_message[2];
char buff[16],*to,extra; /* Big enough for check */ char buff[16],*to,extra; /* Big enough for check */
const char *pos; const char *pos;
hash_password(hash_message, message, SCRAMBLE_LENGTH_323); hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
randominit(&rand_st,hash_pass[0] ^ hash_message[0], randominit(&rand_st,hash_pass[0] ^ hash_message[0],
hash_pass[1] ^ hash_message[1]); hash_pass[1] ^ hash_message[1]);
to=buff; to=buff;
for (pos=scrambled ; *pos ; pos++) DBUG_ASSERT(sizeof(buff) > SCRAMBLE_LENGTH_323);
for (pos=scrambled ; *pos && to < buff+sizeof(buff) ; pos++)
*to++=(char) (floor(my_rnd(&rand_st)*31)+64); *to++=(char) (floor(my_rnd(&rand_st)*31)+64);
if (pos-scrambled != SCRAMBLE_LENGTH_323) if (pos-scrambled != SCRAMBLE_LENGTH_323)
return 1; return 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment