MySQL Bugs: #3541: Local Buffer overflow

Bug #3541	Local Buffer overflow
Submitted:	22 Apr 2004 11:59	Modified:	28 Apr 2004 15:44
Reporter:	Gabriele Galadini	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Command-line Clients	Severity:	S3 (Non-critical)
Version:	4.0.15a	OS:	Linux (Linux)
Assigned to:	Sergei Golubchik	CPU Architecture:	Any

Description:
Hi,
 
 I've found small problem in REPLACE() function of mysql 
 for default version (slackware 9.1) of mysql package,
 more just the version issue is: 12.21 Distrib 4.0.15a,
 thats a 'semi' issue, the executable isn't setuid or setgid.

 (Example)
 drawing up:

 mtv@mercuzio:~/work/test$ ltrace replace `perl -e "print 'A' x 3519"`
 ...
 fflush(0x40216f00)                                                       = 0
 exit(1 <unfinished ...>
 +++ exited (status 1) +++
 
 // not there are still problems but
 
 mtv@mercuzio:~/work/test$ ltrace replace `perl -e "print 'A' x 3520"`

 ...
 malloc(245)                                                 = 0x806c140
 malloc(504)                                                 = 0x806c240
 strlen("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...)               = 3520
 realloc(0x806c240, 1016)                                    = 0x806c240
 __stpcpy(0x806c240, 0xbfffedf1, 16, 0xbfffec54, 0x806c240 <unfinished  ...>
 --- SIGSEGV (Segmentation fault) ---
 +++ killed by SIGSEGV +++
 ...

 (Example2)

 mtv@mercuzio:~/work/test$ declare -x buf=`perl -e '{print "A"x"3520"}'`
 mtv@mercuzio:~/work/test$ replace $buf
 Segmentation fault 
 mtv@mercuzio:~/work/test$ md5sum mysql-4.0.15a-i486-1.tgz 
 3f7a950c37db60fd3f29a10f700fccc9  mysql-4.0.15a-i486-1.tgz
 mtv@mercuzio:~/work/test$

How to repeat:
Hi,
 
 I've found small problem in REPLACE() function of mysql 
 for default version (slackware 9.1) of mysql package,
 more just the version issue is: 12.21 Distrib 4.0.15a,
 thats a 'semi' issue, the executable isn't setuid or setgid.

 (Example)
 drawing up:

 mtv@mercuzio:~/work/test$ ltrace replace `perl -e "print 'A' x 3519"`
 ...
 fflush(0x40216f00)                                                       = 0
 exit(1 <unfinished ...>
 +++ exited (status 1) +++
 
 // not there are still problems but
 
 mtv@mercuzio:~/work/test$ ltrace replace `perl -e "print 'A' x 3520"`

 ...
 malloc(245)                                                 = 0x806c140
 malloc(504)                                                 = 0x806c240
 strlen("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...)               = 3520
 realloc(0x806c240, 1016)                                    = 0x806c240
 __stpcpy(0x806c240, 0xbfffedf1, 16, 0xbfffec54, 0x806c240 <unfinished  ...>
 --- SIGSEGV (Segmentation fault) ---
 +++ killed by SIGSEGV +++
 ...

 (Example2)

 mtv@mercuzio:~/work/test$ declare -x buf=`perl -e '{print "A"x"3520"}'`
 mtv@mercuzio:~/work/test$ replace $buf
 Segmentation fault 
 mtv@mercuzio:~/work/test$ md5sum mysql-4.0.15a-i486-1.tgz 
 3f7a950c37db60fd3f29a10f700fccc9  mysql-4.0.15a-i486-1.tgz
 mtv@mercuzio:~/work/test$

Suggested fix:
//

Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

fixed in 4.0.19