Bug #78042 mysqlslap can crash with Out of memory error
Submitted: 12 Aug 2015 15:04 Modified: 13 Aug 2015 7:54
Reporter: Honza Horak (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.26 OS:Any
Assigned to: CPU Architecture:Any

[12 Aug 2015 15:04] Honza Horak
Description:
See suggested fix to learn the context.

Since strncpy doesn't add zero in the end of the destination string, the
strncpy created unterminated string. Such unterminated string led to seeking
for ':' by strchr behind initialized part of buffer array. If there was ':'
character before '\0', we could get into troubles, because option_ptr variable
would become bigger than retstr variable, thus (retstr - option_ptr) would
be negative number and thus (size_t)(retstr - option_ptr) would become about
4G. In the end we could (and really did) see error like this:
mysqlslap: Out of memory (Needed 4294967236 bytes)

How to repeat:
I was lucky to reproduce with:

  $> mysqlslap --engine="heap,myisam"

But since it is depended on how the uninitilized memory looks, it is not possible to reproduce everytime.

Suggested fix:
diff -up mysql-5.6.26/client/mysqlslap.c.orig mysql-5.6.26/client/mysqlslap.c
--- mysql-5.6.26/client/mysqlslap.c.orig	2015-08-12 16:41:28.177968824 +0200
+++ mysql-5.6.26/client/mysqlslap.c	2015-08-12 16:41:18.856967484 +0200
@@ -2020,11 +2020,12 @@ parse_option(const char *origin, option_
       Return an error if the length of the any of the comma seprated value
       exceeds HUGE_STRING_LENGTH.
     */
-    if ((size_t)(retstr - ptr) > HUGE_STRING_LENGTH)
+    if ((size_t)(retstr - ptr) >= HUGE_STRING_LENGTH)
       return -1;
 
     count++;
     strncpy(buffer, ptr, (size_t)(retstr - ptr));
+    buffer[(size_t)(retstr - ptr)] = '\0';
     if ((buffer_ptr= strchr(buffer, ':')))
     {
       char *option_ptr;
[13 Aug 2015 7:54] MySQL Verification Team
Hello Honza,

Thank you for the report and contribution.

Thanks,
Umesh