Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate trailing '\0'. An overflow by one character was therefore possible. CS corrects limits to prevent such overflows.

Bug#31588: buffer overrun when setting variables
Buffer used when setting variables was not dimensioned to accomodate trailing '\0'. An overflow by one character was therefore possible. CS corrects limits to prevent such overflows.
e6ef54b3 · tnurnberg@sin.intern.azundris.com · 39f6cbc2 · e6ef54b3 · e6ef54b3 · e6ef54b3
Commit e6ef54b3 authored Oct 18, 2007 by tnurnberg@sin.intern.azundris.com
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 2 deletions

mysql-test/r/variables.result mysql-test/r/variables.result +3 -0

mysql-test/t/variables.test mysql-test/t/variables.test +8 -1

sql/set_var.cc sql/set_var.cc +1 -1

No files found.
--- a/mysql-test/r/variables.result
+++ b/mysql-test/r/variables.result
@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 @@query_prealloc_size = @test
 1
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+End of 4.1 tests
--- a/mysql-test/t/variables.test
+++ b/mysql-test/t/variables.test
@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size;
 set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
-# End of 4.1 tests
+#
+# Bug#31588 buffer overrun when setting variables
+#
+# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
+--error 1231
+set global sql_mode=repeat('a',80);
+--echo End of 4.1 tests
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
 					    &not_used));
    if (error_len)
    {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
      goto err;
    }
  }