Bug #26303 buffer overflow? reserve() not called before qs_append()
Submitted: 12 Feb 2007 23:51 Modified: 5 Apr 2007 20:02
Reporter: Chongfeng Hu Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.1.17-BK, 5.2.0-falcon-alpha OS:Linux (Linux)
Assigned to: Georgi Kodinov CPU Architecture:Any

[12 Feb 2007 23:51] Chongfeng Hu 
Description:
When I checked the code in sql/item.cc, I found one place (in function definition void Item_case_expr::print(String *str) at line 1131) where qs_append() is called without calling reserve() beforehand, and this might cause buffer overflow problem.

What qs_append() does is that it append a string at the end of the string pointed by Ptr, and what reserve() does is that it make sure that there's enough space at the end of the string, if not, it will reallocate a space for the string pointed by Ptr. However, qs_append() do NOT check alloced memory, and calling it without calling reserve() first will cause potential buffer overflow.

Following is the segment of code that is involved:

1131 void Item_case_expr::print(String *str)
1132 { 
1133   VOID(str->append(STRING_WITH_LEN("case_expr@")));
1134   str->qs_append(m_case_expr_id);
1135 } 

How to repeat:
No test case yet. It is reported by a source code analysis tool.

Suggested fix:
add a str->reserve() call at the beginning of the function.
[4 Mar 2007 19:24] Valeriy Kravchuk 
Thank you for a problem report. Verified just as described with code review of latest 5.1.17-BK.
[21 Mar 2007 10:10] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22451

ChangeSet@1.2506, 2007-03-21 12:10:37+02:00, gkodinov@magare.gmz +3 -0
  Bug #26303:
  The String::qs_append() function will append a string
  without checking if there's enough space.
  So qs_append() must be called beforehand to ensure 
  there's enough space in the buffer for the subsequent 
  qs_append() calls.
  Fixed Item_case_expr::print() to make sure there's
  enough space before appending data: 
   1. Defined the possible max digits in an INT
   2. added a call to String::reserve() to
      make sure qs_append will have enough space
[23 Mar 2007 14:47] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22785

ChangeSet@1.2506, 2007-03-23 16:47:11+02:00, gkodinov@magare.gmz +3 -0
  Bug #26303:
  The String::qs_append() function will append a string
  without checking if there's enough space.
  So qs_append() must be called beforehand to ensure 
  there's enough space in the buffer for the subsequent 
  qs_append() calls.
  Fixed Item_case_expr::print() to make sure there's
  enough space before appending data by adding a call to 
  String::reserve() to make sure qs_append() will have 
  enough space.
[23 Mar 2007 15:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22791

ChangeSet@1.2506, 2007-03-23 17:38:25+02:00, gkodinov@magare.gmz +3 -0
  Bug #26303: Reserve is not called before qs_append(). 
  This may lead to buffer overflow.
  The String::qs_append() function will append a string
  without checking if there's enough space.
  So qs_append() must be called beforehand to ensure 
  there's enough space in the buffer for the subsequent 
  qs_append() calls.
  Fixed Item_case_expr::print() to make sure there's
  enough space before appending data by adding a call to 
  String::reserve() to make sure qs_append() will have 
  enough space.
[26 Mar 2007 9:33] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22926

ChangeSet@1.2506, 2007-03-26 12:32:51+03:00, gkodinov@magare.gmz +4 -0
  Bug #26303: Reserve is not called before qs_append(). 
  This may lead to buffer overflow.
  The String::qs_append() function will append a string
  without checking if there's enough space.
  So qs_append() must be called beforehand to ensure 
  there's enough space in the buffer for the subsequent 
  qs_append() calls.
  Fixed Item_case_expr::print() to make sure there's
  enough space before appending data by adding a call to 
  String::reserve() to make sure qs_append() will have 
  enough space.
[31 Mar 2007 8:39] Bugs System 
Pushed into 5.1.18-beta
[5 Apr 2007 20:02] Paul DuBois 
Noted in 5.1.18 changelog.

Fixed a possible buffer overflow in SHOW PROCEDURE CODE.