Commit 3b476a8f authored by unknown's avatar unknown

two buffer overflows fixed


sql/sp.cc:
  use strxnmov, just in case
sql/sql_parse.cc:
  init thd->security_ctx->priv_host,
  otherwise - buffer overflow in db_create_routine
sql/unireg.cc:
  not too nice to do bzero(buf, 9) after char buf[5], eh ?
parent 1fa5ff04
...@@ -501,7 +501,7 @@ db_create_routine(THD *thd, int type, sp_head *sp) ...@@ -501,7 +501,7 @@ db_create_routine(THD *thd, int type, sp_head *sp)
else else
{ {
restore_record(table, s->default_values); // Get default values for fields restore_record(table, s->default_values); // Get default values for fields
strxmov(definer, thd->security_ctx->priv_user, "@", strxnmov(definer, sizeof(definer)-1, thd->security_ctx->priv_user, "@",
thd->security_ctx->priv_host, NullS); thd->security_ctx->priv_host, NullS);
if (table->s->fields != MYSQL_PROC_FIELD_COUNT) if (table->s->fields != MYSQL_PROC_FIELD_COUNT)
......
...@@ -1253,6 +1253,7 @@ pthread_handler_t handle_bootstrap(void *arg) ...@@ -1253,6 +1253,7 @@ pthread_handler_t handle_bootstrap(void *arg)
thd->version=refresh_version; thd->version=refresh_version;
thd->security_ctx->priv_user= thd->security_ctx->priv_user=
thd->security_ctx->user= (char*) my_strdup("boot", MYF(MY_WME)); thd->security_ctx->user= (char*) my_strdup("boot", MYF(MY_WME));
thd->security_ctx->priv_host[0]=0;
buff= (char*) thd->net.buff; buff= (char*) thd->net.buff;
thd->init_for_queries(); thd->init_for_queries();
......
...@@ -63,7 +63,7 @@ static bool make_empty_rec(THD *thd, int file, enum legacy_db_type table_type, ...@@ -63,7 +63,7 @@ static bool make_empty_rec(THD *thd, int file, enum legacy_db_type table_type,
keys number of keys to create keys number of keys to create
key_info Keys to create key_info Keys to create
db_file Handler to use. May be zero, in which case we use db_file Handler to use. May be zero, in which case we use
create_info->db_type create_info->db_type
RETURN RETURN
0 ok 0 ok
1 error 1 error
...@@ -84,7 +84,7 @@ bool mysql_create_frm(THD *thd, const char *file_name, ...@@ -84,7 +84,7 @@ bool mysql_create_frm(THD *thd, const char *file_name,
uchar fileinfo[64],forminfo[288],*keybuff; uchar fileinfo[64],forminfo[288],*keybuff;
TYPELIB formnames; TYPELIB formnames;
uchar *screen_buff; uchar *screen_buff;
char buff[5]; char buff[32];
#ifdef WITH_PARTITION_STORAGE_ENGINE #ifdef WITH_PARTITION_STORAGE_ENGINE
partition_info *part_info= thd->lex->part_info; partition_info *part_info= thd->lex->part_info;
#endif #endif
...@@ -232,7 +232,7 @@ bool mysql_create_frm(THD *thd, const char *file_name, ...@@ -232,7 +232,7 @@ bool mysql_create_frm(THD *thd, const char *file_name,
goto err; goto err;
} }
} }
VOID(my_seek(file,filepos,MY_SEEK_SET,MYF(0))); VOID(my_seek(file,filepos,MY_SEEK_SET,MYF(0)));
if (my_write(file,(byte*) forminfo,288,MYF_RW) || if (my_write(file,(byte*) forminfo,288,MYF_RW) ||
my_write(file,(byte*) screen_buff,info_length,MYF_RW) || my_write(file,(byte*) screen_buff,info_length,MYF_RW) ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment