From 98a5cdfe4cafb9e74d9d800e4b2979ac01765fab Mon Sep 17 00:00:00 2001 From: "knielsen@mysql.com" <> Date: Fri, 23 Jun 2006 14:50:02 +0200 Subject: [PATCH] BUG#20622: Fix one-byte buffer overrun in IM directory string handling. The problem was a call to convert_dirname() with a destination buffer that did not have room for the trailing slash added by that function. This could cause the instance manager to crash in some cases. --- mysys/mf_dirname.c | 4 +++- server-tools/instance-manager/instance_options.cc | 9 +++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/mysys/mf_dirname.c b/mysys/mf_dirname.c index 9206aa28078..4d78f039799 100644 --- a/mysys/mf_dirname.c +++ b/mysys/mf_dirname.c @@ -72,7 +72,9 @@ uint dirname_part(my_string to, const char *name) SYNPOSIS convert_dirname() - to Store result here + to Store result here. Must be at least of size + min(FN_REFLEN, strlen(from) + 1) to make room + for adding FN_LIBCHAR at the end. from Original filename from_end Pointer at end of filename (normally end \0) diff --git a/server-tools/instance-manager/instance_options.cc b/server-tools/instance-manager/instance_options.cc index 9389694822a..72621ed1662 100644 --- a/server-tools/instance-manager/instance_options.cc +++ b/server-tools/instance-manager/instance_options.cc @@ -391,8 +391,13 @@ int Instance_options::complete_initialization(const char *default_path, const char *tmp; char *end; - if (!mysqld_path && !(mysqld_path= strdup_root(&alloc, default_path))) - goto err; + if (!mysqld_path) + { + // Need one extra byte, as convert_dirname() adds a slash at the end. + if (!(mysqld_path= alloc_root(&alloc, strlen(default_path) + 2))) + goto err; + strcpy((char *)mysqld_path, default_path); + } // it's safe to cast this to char* since this is a buffer we are allocating end= convert_dirname((char*)mysqld_path, mysqld_path, NullS);