Bug #53417 | my_getwd() makes assumptions on the buffer sizes which not always hold true | ||
---|---|---|---|
Submitted: | 4 May 2010 16:29 | Modified: | 18 Jun 2010 1:02 |
Reporter: | Kristofer Pettersson | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S3 (Non-critical) |
Version: | 5.0+ | OS: | Any |
Assigned to: | Kristofer Pettersson | CPU Architecture: | Any |
[4 May 2010 16:29]
Kristofer Pettersson
[4 May 2010 16:37]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/107374 3367 Kristofer Pettersson 2010-05-04 Bug#53417 my_getwd() makes assumptions on the buffer sizes which not always hold true The mysys library contains many functions for rewriting file paths. Most of these functions makes implicit assumptions on the buffer sizes they write to. If a path is put in my_realpath() it will propagate to my_getwd() which assumes that the buffer holding the path name is greater than 2. This is not true in cases. In the special case where a VARBIN_ITEM is passed as argument to the LOAD_FILE function this can lead to a crash. This patch fixes the issue by introduce more safe guards agaist buffer overruns. @ mysys/mf_loadpath.c * Replaced all functions which copies or concatinates bytes with a bound checking counter part. @ mysys/my_getwd.c * Added safe guard to avoid overwriting memory. @ sql/item.cc * Introduced a consistent initialization of the Item_hex_string(). Now the Item will hold the same basic properties regardless if it is invoked with paramters or without. @ sql/item.h * Introduced a consistent initialization of the Item_hex_string(). Now the Item will hold the same basic properties regardless if it is invoked with paramters or without. @ sql/mysqld.cc * Added safe guards to avoid overwriting the buffers by misstake.
[5 May 2010 8:59]
Georgi Kodinov
Updated the fix : http://lists.mysql.com/commits/107421
[5 May 2010 15:06]
Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:joro@sun.com-20100505085452-wovhzfknt87zh7u3) (merge vers: 5.1.47) (pib:16)
[12 May 2010 1:49]
Paul DuBois
Noted in 5.1.47 changelog. Certain path names passed to LOAD_FILE() could cause a server crash. Setting report to Need Merge pending further pushes.
[28 May 2010 5:46]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:alik@sun.com-20100512070920-xgpmqeytp0gc183c) (pib:16)
[28 May 2010 6:16]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:alik@sun.com-20100507093037-7cykrx1n73v0tetc) (merge vers: 6.0.14-alpha) (pib:16)
[28 May 2010 6:44]
Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100508220335-xsvmtj21h4yeu8mf) (merge vers: 5.5.5-m3) (pib:16)
[28 May 2010 21:38]
Paul DuBois
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 11:47]
Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:martin.skold@mysql.com-20100616204905-jxjg342w35ks9vfy) (merge vers: 5.1.47-ndb-7.0.16) (pib:16)
[17 Jun 2010 12:24]
Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100615090726-jotpykke96le59w5) (merge vers: 5.1.47-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:11]
Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:martin.skold@mysql.com-20100616120453-jh7wr05z1vf7r8pm) (merge vers: 5.1.47-ndb-6.3.35) (pib:16)