Commit cd9d89a7 authored by unknown's avatar unknown

Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate
trailing '\0'. An overflow by one character was therefore possible.
CS corrects limits to prevent such overflows.


mysql-test/r/variables.result:
  Try to overflow buffer used for setting system variables.
  Unpatched server should throw a valgrind warning here.
  Actual value and error message irrelevant, only length counts.
mysql-test/t/variables.test:
  Try to overflow buffer used for setting system variables.
sql/set_var.cc:
  Adjust maximum number of characters we can store in 'buff' by one
  as strmake() will write a terminating '\0'.
parent 77d786b5
...@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test; ...@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
select @@query_prealloc_size = @test; select @@query_prealloc_size = @test;
@@query_prealloc_size = @test @@query_prealloc_size = @test
1 1
set global sql_mode=repeat('a',80);
ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
End of 4.1 tests
...@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size; ...@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size;
set @@query_prealloc_size = @test; set @@query_prealloc_size = @test;
select @@query_prealloc_size = @test; select @@query_prealloc_size = @test;
# End of 4.1 tests #
# Bug#31588 buffer overrun when setting variables
#
# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
--error 1231
set global sql_mode=repeat('a',80);
--echo End of 4.1 tests
...@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names) ...@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
&not_used)); &not_used));
if (error_len) if (error_len)
{ {
strmake(buff, error, min(sizeof(buff), error_len)); strmake(buff, error, min(sizeof(buff) - 1, error_len));
goto err; goto err;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment