Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE

Description: Fix for bug CVE-2012-5611 (bug 67685) is 
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
check_grant_db() can be overflown by up to two bytes. That's 
probably not enough to do anything more serious than crashing 
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it 
just adding the variable lengths. But when we are using them 
with strmov() we are adding +1 to each. This will lead to a 
three byte buffer overflow (i.e two +1's at strmov() and one 
byte for the null added by strmov() function). Similarly it 
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get() 
and "+1" to "copy_length" in check_grant_db(). 

sql/sql_acl.cc

@@ -1363,7 +1363,8 @@ ulong acl_get(const char *host, const char *ip,
   
   copy_length= (size_t) (strlen(ip ? ip : "") +
                  strlen(user ? user : "") +
-                 strlen(db ? db : ""));
+                 strlen(db ? db : "")) + 2; /* Added 2 at the end to avoid  
+                                               buffer overflow at strmov()*/
   /*
     Make sure that strmov() operations do not result in buffer overflow.
   */
@@ -4353,7 +4354,8 @@ bool check_grant_db(THD *thd,const char *db)
   size_t copy_length;
 
   copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") +
-                 strlen(db ? db : ""));
+                 strlen(db ? db : "")) + 1; /* Added 1 at the end to avoid  
+                                               buffer overflow at strmov()*/
 
   /*
     Make sure that strmov() operations do not result in buffer overflow.