Fix for

bug #27715: mysqld --character-sets-dir buffer overflow bug ##26851: Mysql Client --pager Buffer Overflow Using strmov() to copy an argument may cause overflow if the argument's length is bigger than the buffer: use strmake instead. Also, we have to encrease the error message buffer size to fit the longest message. client/mysql.cc: Fix for bug #27715: mysqld --character-sets-dir buffer overflow bug ##26851: Mysql Client --pager Buffer Overflow - use strmake() instead of strmov() to avoid buffer overflow. mysql-test/r/mysql.result: Fix for bug #27715: mysqld --character-sets-dir buffer overflow bug ##26851: Mysql Client --pager Buffer Overflow - test result. mysql-test/t/mysql.test: Fix for bug #27715: mysqld --character-sets-dir buffer overflow bug ##26851: Mysql Client --pager Buffer Overflow - test case. mysys/charset.c: Fix for bug #27715: mysqld --character-sets-dir buffer overflow bug ##26851: Mysql Client --pager Buffer Overflow - encrease error message buffer size to fit the (possible) longest message.
2025-01-16 03:52:35 +01:00 · 2007-04-16 12:28:02 +05:00 · 2007-04-16 12:28:02 +05:00 · be90800c9f
commit be90800c9f
parent 0ab74abc63
4 changed files with 16 additions and 6 deletions
--- a/client/mysql.cc
+++ b/client/mysql.cc
@ -808,7 +808,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
    break;
 #endif
  case OPT_CHARSETS_DIR:
-    strmov(mysql_charsets_dir, argument);
+    strmake(mysql_charsets_dir, argument, sizeof(mysql_charsets_dir) - 1);
    charsets_dir = mysql_charsets_dir;
    break;
  case  OPT_DEFAULT_CHARSET:
@ -861,7 +861,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
      if (argument && strlen(argument))
      {
 	default_pager_set= 1;
-	strmov(pager, argument);
+	strmake(pager, argument, sizeof(pager) - 1);
 	strmov(default_pager, pager);
      }
      else if (default_pager_set)
--- a/mysql-test/r/mysql.result
+++ b/mysql-test/r/mysql.result
@ -174,4 +174,8 @@ ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyrils_superlonghostnam
 1
 ERROR at line 1: DELIMITER cannot contain a backslash character
 ERROR at line 1: DELIMITER cannot contain a backslash character
+1
+1
+1
+1
 End of 5.0 tests
--- a/mysql-test/t/mysql.test
+++ b/mysql-test/t/mysql.test
@ -264,4 +264,10 @@ EOF
 --exec $MYSQL --version 2>&1 > /dev/null
 --enable_quary_log

+#
+# bug #26851: Mysql Client --pager Buffer Overflow
+#
+--exec $MYSQL --pager="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1
+--exec $MYSQL --character-sets-dir="540bytelengthstringxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -e "select 1" 2>&1
+
 --echo End of 5.0 tests
--- a/mysys/charset.c
+++ b/mysys/charset.c
@ -388,7 +388,7 @@ my_bool STDCALL init_available_charsets(myf myflags)
 static my_bool init_available_charsets(myf myflags)
 #endif
 {
-  char fname[FN_REFLEN];
+  char fname[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
  my_bool error=FALSE;
  /*
    We have to use charset_initialized to not lock on THR_LOCK_charset
@ -519,7 +519,7 @@ CHARSET_INFO *get_charset(uint cs_number, myf flags)

  if (!cs && (flags & MY_WME))
  {
-    char index_file[FN_REFLEN], cs_string[23];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)], cs_string[23];
    strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
    cs_string[0]='#';
    int10_to_str(cs_number, cs_string+1, 10);
@ -539,7 +539,7 @@ CHARSET_INFO *get_charset_by_name(const char *cs_name, myf flags)

  if (!cs && (flags & MY_WME))
  {
-    char index_file[FN_REFLEN];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
    strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
    my_error(EE_UNKNOWN_COLLATION, MYF(ME_BELL), cs_name, index_file);
  }
@ -564,7 +564,7 @@ CHARSET_INFO *get_charset_by_csname(const char *cs_name,

  if (!cs && (flags & MY_WME))
  {
-    char index_file[FN_REFLEN];
+    char index_file[FN_REFLEN + sizeof(MY_CHARSET_INDEX)];
    strmov(get_charsets_dir(index_file),MY_CHARSET_INDEX);
    my_error(EE_UNKNOWN_CHARSET, MYF(ME_BELL), cs_name, index_file);
  }