Bug #26851 Mysql Client --pager Buffer Overflow
Submitted: 5 Mar 2007 22:16 Modified: 7 Jun 2007 16:27
Reporter: Alfredo Pesoli Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.0.38-BK, 5.0.32, 5.0.24a OS:Linux (Linux)
Assigned to: Ramil Kalimullin CPU Architecture:Any

[5 Mar 2007 22:16] Alfredo Pesoli 
Description:
Mysql Client doesn't properly verify the length of --pager option, it is possible to cause a buffer overflow passing a long string (at least 524 while 580 will segfault in strcpy).

Tested on:

Debian Etch 4.0.2-5
- mysql  Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2

Ubuntu 6.10
- mysql  Ver 14.12 Distrib 5.0.24a, for pc-linux-gnu (i486) using readline 5.1

How to repeat:
$ mysql -u fake --pager=`perl -e 'print "A"x524';`

ERROR 1045 (28000): Access denied for user 'fake'@'localhost' (using password: NO)
*** glibc detected *** mysql: free(): invalid pointer: 0x0805b000 ***

$ mysql -u fake --pager=`perl -e 'print "A"x544';`
mysql: Out of memory (Needed 1094795592 bytes)
ERROR 2008 (HY000): MySQL client ran out of memory
Segmentation fault (core dumped)
[6 Mar 2007 5:50] Valeriy Kravchuk 
Thank you for a bug report. Verified just as described with latest 5.0.38-BK on Linux.
[7 Jun 2007 16:27] Timothy Smith 
Fixed in 5.0.42, 5.1.18.