Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate
trailing '\0'. An overflow by one character was therefore possible.
CS corrects limits to prevent such overflows.


mysql-test/r/variables.result:
  Try to overflow buffer used for setting system variables.
  Unpatched server should throw a valgrind warning here.
  Actual value and error message irrelevant, only length counts.
mysql-test/t/variables.test:
  Try to overflow buffer used for setting system variables.
sql/set_var.cc:
  Adjust maximum number of characters we can store in 'buff' by one
  as strmake() will write a terminating '\0'.

mysql-test/r/variables.result

@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 @@query_prealloc_size = @test
 1
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+End of 4.1 tests

mysql-test/t/variables.test

@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size;
 set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 
-# End of 4.1 tests
+#
+# Bug#31588 buffer overrun when setting variables
+#
+# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
+--error 1231
+set global sql_mode=repeat('a',80);
+
+--echo End of 4.1 tests

sql/set_var.cc

@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
 					    &not_used));
     if (error_len)
     {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
       goto err;
     }
   }