two buffer overflows fixed

sql/sp.cc: use strxnmov, just in case sql/sql_parse.cc: init thd->security_ctx->priv_host, otherwise - buffer overflow in db_create_routine sql/unireg.cc: not too nice to do bzero(buf, 9) after char buf[5], eh ?

two buffer overflows fixed
sql/sp.cc: use strxnmov, just in case sql/sql_parse.cc: init thd->security_ctx->priv_host, otherwise - buffer overflow in db_create_routine sql/unireg.cc: not too nice to do bzero(buf, 9) after char buf[5], eh ?
3b476a8f · unknown · 1fa5ff04 · 3b476a8f · 3b476a8f · 3b476a8f
Commit 3b476a8f authored Jan 28, 2006 by unknown
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

sql/sp.cc sql/sp.cc +1 -1

sql/sql_parse.cc sql/sql_parse.cc +1 -0

sql/unireg.cc sql/unireg.cc +3 -3

No files found.
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -501,7 +501,7 @@ db_create_routine(THD *thd, int type, sp_head *sp)
  else
  {
    restore_record(table, s->default_values); // Get default values for fields
-    strxmov(definer, thd->security_ctx->priv_user, "@",
+    strxnmov(definer, sizeof(definer)-1, thd->security_ctx->priv_user, "@",
            thd->security_ctx->priv_host, NullS);

    if (table->s->fields != MYSQL_PROC_FIELD_COUNT)

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -1253,6 +1253,7 @@ pthread_handler_t handle_bootstrap(void *arg)
  thd->version=refresh_version;
  thd->security_ctx->priv_user=
    thd->security_ctx->user= (char*) my_strdup("boot", MYF(MY_WME));
+  thd->security_ctx->priv_host[0]=0;

  buff= (char*) thd->net.buff;
  thd->init_for_queries();

--- a/sql/unireg.cc
+++ b/sql/unireg.cc
@@ -84,7 +84,7 @@ bool mysql_create_frm(THD *thd, const char *file_name,
  uchar fileinfo[64],forminfo[288],*keybuff;
  TYPELIB formnames;
  uchar *screen_buff;
-  char buff[5];
+  char buff[32];
 #ifdef WITH_PARTITION_STORAGE_ENGINE
  partition_info *part_info= thd->lex->part_info;
 #endif