MySQL Bugs: #119511: Buffer Overflow on Large Key-Value Pairs

Bug #119511	Buffer Overflow on Large Key-Value Pairs
Submitted:	5 Dec 0:30
Reporter:	Colin Yuen	Email Updates:
Status:	Open	Impact on me:	None
Category:	Connector / ODBC	Severity:	S1 (Critical)
Version:	9.5.0	OS:	Any (All)
Assigned to:		CPU Architecture:	Any (All)
Tags:	buffer overflow, connection string, key-value pairs

Description:
When reading values to parse into the data source, the function `optionStr::set_remove_brackets` is called, https://github.com/mysql/mysql-connector-odbc/blob/7047458aa497df48f03a3af306ecc0a4ac1a65b.... Within this, the buffer allocated for output is set to 1024. When a user enters key-value pair which exceed this buffer will cause an buffer overflow when it tries to copy the input, val_char, into the output.

How to repeat:
Create any DSN via the ODBC Data Source Administrator and fill any text box with over 1025 characters. On save or test connection, the application will exit. 

This is also consistent if tested using a connection string with one key having a large value.
e.g. 
`SERVER=host;UID=my_user;PWD=aaaa...1024 more characters...aaa;`

Suggested fix:
Use of a dynamic buffer size to read in user input. Rather than allocating a fixed buffer of 1024, using an empty std::wstring / SQLWSTRING, pushing back values into the SQLWSTRING, then converting back to a SQLCHAR later on. This will also require fixes in the dialog manager as well to support the additional sized value.