applying patch for BUG15912213

2cbf2e64 · unknown · Akhil Mohan · 86c0a80b · 2cbf2e64
Commit 2cbf2e64 authored Nov 29, 2012 by unknown Committed by Akhil Mohan Nov 29, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletion

sql/sql_acl.cc sql/sql_acl.cc +20 -1

No files found.
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1356,10 +1356,19 @@ ulong acl_get(const char *host, const char *ip,
 {
  ulong host_access= ~(ulong)0, db_access= 0;
  uint i;
-  size_t key_length;
+  size_t key_length, copy_length;
  char key[ACL_KEY_LENGTH],*tmp_db,*end;
  acl_entry *entry;
  DBUG_ENTER("acl_get");
+  
+  copy_length= (size_t) (strlen(ip ? ip : "") +
+                 strlen(user ? user : "") +
+                 strlen(db ? db : ""));
+  /*
+    Make sure that strmov() operations do not result in buffer overflow.
+  */
+  if (copy_length >= ACL_KEY_LENGTH)
+    DBUG_RETURN(0);

  VOID(pthread_mutex_lock(&acl_cache->lock));
  end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
@@ -4340,6 +4349,16 @@ bool check_grant_db(THD *thd,const char *db)
  char helping [NAME_LEN+USERNAME_LENGTH+2];
  uint len;
  bool error= TRUE;
+  size_t copy_length;
+
+  copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") +
+                 strlen(db ? db : ""));
+
+  /*
+    Make sure that strmov() operations do not result in buffer overflow.
+  */
+  if (copy_length >= (NAME_LEN+USERNAME_LENGTH+2))
+    return 1;

  len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1;