Description:
A three byte buffer overflow in the client functions (when reading a command from the
user) may cause improper exiting of the client.

MySQL.cpp Line 960 reads:

      linebuffer[0]= (char) sizeof(linebuffer);
      line= _cgets(linebuffer);

_cgets() requires that the first byte of the input buffer be the length of the input
buffer minus 3 (http://msdn.microsoft.com/library/en-us/vccore98/HTML/_crt__cgets.asp).
This corresponds with the maximum length of the string that can be read by the _cgets
function.

(Note that the following analysis is for version 4.1.12, named
mysql-noinstall-4.1.12-win32.zip with MD5 sum of 3ed8ae0fb8aca9074a4fb8188ab18f50. Any
other builds are not likely to work identically.)

This will overflow three bytes into the stack. Due to alignment, two bytes are "safe" and
overflow into unallocated memory, while the terminating null character overflows into the
return EIP. The function add_line() then processes this string, and allows the attacker to
either leave the byte as 0x00, or change  it to 0x0A (newline). The attacker then may use
the “quit” command to jump back to their EIP.

In the event the attacker attempts to jump to the instruction ending in 0x0A, the computer
will attempt to read either the address 0x00000000 or 0x00000001 from memory. This will
cause an exception to be raised.

In the event the attacker attempts to jump to the instruction ending in 0x00, the computer
will attempt to read either the address 0x5103982D or 0x5103982E from memory. This is also
within unallocated memory, and an exception will be raised.

This does not appear exploitable on recent builds of the client, therefore is not being
labeled a security issue.

How to repeat:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 30 to server version: 4.1.11-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line
1
mysql> mysql> quit

[CRASH]

Suggested fix:
Change MySQL.cpp Line 960 to read:

      linebuffer[0]= (char) (sizeof(linebuffer)-3);
      line= _cgets(linebuffer);

(It should be noted that this fix will exacerbate another bug in the MySQL client program,
labeled bug #10840)

I was unable to repeat the crash with 4.1.12 on XP Pro:

    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ->
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAA;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server ve
rsion for the right syntax to use near
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA' at line 1
mysql> quit
Bye

Is there something I am missing for to reproduce the crash ?

I beleve you are pasting all those A's on seperate lines, from the amount of ->'s you
have. Be sure that you create one single long line, the bug tracker seems to split lines
at 80 characters.

Thank you for the feedback.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25735

Fixed in 4.1.13 and 5.0.8.

Documented in 4.1.13 and 5.0.8 changelogs.