Bug #33976 buffer overflow of variable time_buff in function com_go()
Submitted: 22 Jan 2008 10:25 Modified: 25 Jan 2008 0:55
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.1.23 OS:Any
Assigned to: CPU Architecture:Any
Tags: buffer overflow

[22 Jan 2008 10:25] Shane Bester
Description:
When a query takes a long time to complete, a buffer overflow occurs in the buffer that prints the time taken:

mysql> select 1;select sleep(4);select 4;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

+----------+
| sleep(4) |
+----------+
|        0 |
+----------+
1 row in set (4 days 13 hours 54 min 29.41 sec)

Error:Run-Time Check Failure #2 - Stack around the variable 'time_buff' was corrupted. At e:\builds\5.1-win-src-32bit\client\mysql.cc:2328
+---+
| 4 |
+---+
| 4 |
+---+
1 row in set (0.00 sec)

Notice the length of "(4 days 13 hours 54 min 29.41 sec)" is more than time_buff[32] can hold.

How to repeat:
Run a debug version of mysql client, or run it under valgrind. Just make sure you get a time taken with "(X days YY hours ZZ mins SS.MM sec)":

select 1;select sleep(45);select 4;

During that sleep(45), advance the system datetime forward by some days so mysql thinks it took really long.

Code review should be easier..

Suggested fix:
increase the length of the time_buff buffer in com_go(). Make it at least 4 characters larger..
[22 Jan 2008 10:31] Shane Bester
maybe related to bug #33841
[25 Jan 2008 0:55] Jim Winstead
This is a duplicate of Bug #33841.
[25 Feb 2008 15:58] Bugs System
Pushed into 5.1.24-rc
[25 Feb 2008 16:04] Bugs System
Pushed into 6.0.5-alpha
[25 Feb 2008 16:05] Bugs System
Pushed into 5.0.58
[25 Feb 2008 16:07] Bugs System
Pushed into 4.1.24