better use of fn_format() in ha_mysisam::restore() and ha_myisam::backup()

fixed buffer overflow in fn_format()
This commit is contained in:
sasha@mysql.sashanet.com 2000-09-18 22:10:06 -06:00
parent e023159c0c
commit ce8f1b23c3
2 changed files with 11 additions and 26 deletions

View file

@ -53,7 +53,8 @@ my_string fn_format(my_string to, const char *name, const char *dsk,
name+=(length=dirname_part(dev,(startpos=(my_string) name))); name+=(length=dirname_part(dev,(startpos=(my_string) name)));
if (length == 0 || flag & 1) if (length == 0 || flag & 1)
{ {
(void) strmov(dev,dsk); /* Use given directory */ (void) strnmov(dev,dsk, sizeof(dev) - 2);
/* Use given directory */
convert_dirname(dev); /* Fix to this OS */ convert_dirname(dev); /* Fix to this OS */
} }
if (flag & 8) if (flag & 8)

View file

@ -333,21 +333,12 @@ int ha_myisam::restore(THD* thd, HA_CHECK_OPT *check_opt)
HA_CHECK_OPT tmp_check_opt; HA_CHECK_OPT tmp_check_opt;
char* backup_dir = thd->lex.backup_dir; char* backup_dir = thd->lex.backup_dir;
char src_path[FN_REFLEN], dst_path[FN_REFLEN]; char src_path[FN_REFLEN], dst_path[FN_REFLEN];
int backup_dir_len = strlen(backup_dir);
char* table_name = table->real_name; char* table_name = table->real_name;
int table_name_len = strlen(table_name); if(!fn_format(src_path, table_name, backup_dir, MI_NAME_DEXT, 4 + 64))
if(backup_dir_len + table_name_len + 4 >= FN_REFLEN)
return HA_ADMIN_INVALID; return HA_ADMIN_INVALID;
memcpy(src_path, backup_dir, backup_dir_len);
char* p = src_path + backup_dir_len;
*p++ = '/';
memcpy(p, table_name, table_name_len);
p += table_name_len;
*p = 0;
fn_format(src_path, src_path, "", MI_NAME_DEXT, 4);
int error = 0; int error = 0;
char* errmsg = ""; const char* errmsg = "";
if(my_copy(src_path, fn_format(dst_path, table->path, "", if(my_copy(src_path, fn_format(dst_path, table->path, "",
MI_NAME_DEXT, 4), MYF(MY_WME))) MI_NAME_DEXT, 4), MYF(MY_WME)))
@ -378,28 +369,21 @@ int ha_myisam::backup(THD* thd, HA_CHECK_OPT *check_opt)
{ {
char* backup_dir = thd->lex.backup_dir; char* backup_dir = thd->lex.backup_dir;
char src_path[FN_REFLEN], dst_path[FN_REFLEN]; char src_path[FN_REFLEN], dst_path[FN_REFLEN];
int backup_dir_len = strlen(backup_dir);
char* table_name = table->real_name; char* table_name = table->real_name;
int table_name_len = strlen(table_name); if(!fn_format(dst_path, table_name, backup_dir, reg_ext, 4 + 64))
if(backup_dir_len + table_name_len + 4 >= FN_REFLEN)
return HA_ADMIN_INVALID; return HA_ADMIN_INVALID;
memcpy(dst_path, backup_dir, backup_dir_len);
char* p = dst_path + backup_dir_len;
*p++ = '/';
memcpy(p, table_name, table_name_len);
p += table_name_len;
*p = 0;
if(my_copy(fn_format(src_path, table->path,"", reg_ext, 4), if(my_copy(fn_format(src_path, table->path,"", reg_ext, 4),
fn_format(dst_path, dst_path, "", reg_ext, 4), dst_path,
MYF(MY_WME | MY_HOLD_ORIGINAL_MODES ))) MYF(MY_WME | MY_HOLD_ORIGINAL_MODES )))
{ {
return HA_ADMIN_FAILED; return HA_ADMIN_FAILED;
} }
*p = 0; if(!fn_format(dst_path, table_name, backup_dir, MI_NAME_DEXT, 4 + 64))
*(fn_ext(src_path)) = 0; return HA_ADMIN_INVALID;
if(my_copy(fn_format(src_path, src_path,"", MI_NAME_DEXT, 4),
fn_format(dst_path, dst_path, "", MI_NAME_DEXT, 4), if(my_copy(fn_format(src_path, table->path,"", MI_NAME_DEXT, 4),
dst_path,
MYF(MY_WME | MY_HOLD_ORIGINAL_MODES )) ) MYF(MY_WME | MY_HOLD_ORIGINAL_MODES )) )
return HA_ADMIN_FAILED; return HA_ADMIN_FAILED;