Bug #26303 | buffer overflow? reserve() not called before qs_append() | ||
---|---|---|---|
Submitted: | 12 Feb 2007 23:51 | Modified: | 5 Apr 2007 20:02 |
Reporter: | Chongfeng Hu | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S2 (Serious) |
Version: | 5.1.17-BK, 5.2.0-falcon-alpha | OS: | Linux (Linux) |
Assigned to: | Georgi Kodinov | CPU Architecture: | Any |
[12 Feb 2007 23:51]
Chongfeng Hu
[4 Mar 2007 19:24]
Valeriy Kravchuk
Thank you for a problem report. Verified just as described with code review of latest 5.1.17-BK.
[21 Mar 2007 10:10]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22451 ChangeSet@1.2506, 2007-03-21 12:10:37+02:00, gkodinov@magare.gmz +3 -0 Bug #26303: The String::qs_append() function will append a string without checking if there's enough space. So qs_append() must be called beforehand to ensure there's enough space in the buffer for the subsequent qs_append() calls. Fixed Item_case_expr::print() to make sure there's enough space before appending data: 1. Defined the possible max digits in an INT 2. added a call to String::reserve() to make sure qs_append will have enough space
[23 Mar 2007 14:47]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22785 ChangeSet@1.2506, 2007-03-23 16:47:11+02:00, gkodinov@magare.gmz +3 -0 Bug #26303: The String::qs_append() function will append a string without checking if there's enough space. So qs_append() must be called beforehand to ensure there's enough space in the buffer for the subsequent qs_append() calls. Fixed Item_case_expr::print() to make sure there's enough space before appending data by adding a call to String::reserve() to make sure qs_append() will have enough space.
[23 Mar 2007 15:38]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22791 ChangeSet@1.2506, 2007-03-23 17:38:25+02:00, gkodinov@magare.gmz +3 -0 Bug #26303: Reserve is not called before qs_append(). This may lead to buffer overflow. The String::qs_append() function will append a string without checking if there's enough space. So qs_append() must be called beforehand to ensure there's enough space in the buffer for the subsequent qs_append() calls. Fixed Item_case_expr::print() to make sure there's enough space before appending data by adding a call to String::reserve() to make sure qs_append() will have enough space.
[26 Mar 2007 9:33]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22926 ChangeSet@1.2506, 2007-03-26 12:32:51+03:00, gkodinov@magare.gmz +4 -0 Bug #26303: Reserve is not called before qs_append(). This may lead to buffer overflow. The String::qs_append() function will append a string without checking if there's enough space. So qs_append() must be called beforehand to ensure there's enough space in the buffer for the subsequent qs_append() calls. Fixed Item_case_expr::print() to make sure there's enough space before appending data by adding a call to String::reserve() to make sure qs_append() will have enough space.
[31 Mar 2007 8:39]
Bugs System
Pushed into 5.1.18-beta
[5 Apr 2007 20:02]
Paul DuBois
Noted in 5.1.18 changelog. Fixed a possible buffer overflow in SHOW PROCEDURE CODE.