Description:
MySQL-5.1.61 has been scanned using Coverity static analysis tool and these are some of the issues, that I find worth fixing (same issues can be find in the 5.5. version as well and some of them are new comparing to 5.1.52):
* fix in coverity1.patch: Error: BUFFER_SIZE_WARNING:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
* Error: MISSING_BREAK:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6672: unterminated_case: This case (value 6) is not terminated by a 'break' statement.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6677: fallthrough: The above case falls through to this one.
* Error: OVERRUN_STATIC:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/os/os0file.c:3108: overrun-local: Overrunning static array "srv_io_thread_function", with 100 elements, at position 129 with index variable "i".
* fix in coverity2.patch: Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
* fix in coverity3.patch: Error: STRING_OVERFLOW:
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
* Error: USE_AFTER_FREE:
/builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13470: alias: Assigning: "save_quick" = "select->quick". Now both point to the same storage.
/builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13921: freed_arg: "operator delete(void *)" frees "select->quick".
/builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13922: use_after_free: Using freed pointer "save_quick".
How to repeat:
Just see the code.
Suggested fix:
mysql-coverity1.patch:
diff -up mysql-5.1.61/sql/sql_prepare.cc.coverity1 mysql-5.1.61/sql/sql_prepare.cc
--- mysql-5.1.61/sql/sql_prepare.cc.coverity1 2012-03-12 12:48:43.252708700 +0100
+++ mysql-5.1.61/sql/sql_prepare.cc 2012-03-12 12:48:50.365250394 +0100
@@ -2746,7 +2746,7 @@ public:
{
stmt->state= Query_arena::ERROR;
stmt->last_errno= sql_errno;
- strncpy(stmt->last_error, message, MYSQL_ERRMSG_SIZE);
+ strncpy(stmt->last_error, message, sizeof(stmt->last_error)-1);
return TRUE;
}
mysql-coverity2.patch:
diff -up mysql-5.1.61/sql/sql_trigger.cc.coverity2 mysql-5.1.61/sql/sql_trigger.cc
--- mysql-5.1.61/sql/sql_trigger.cc.coverity2 2012-03-13 07:45:56.346793667 +0100
+++ mysql-5.1.61/sql/sql_trigger.cc 2012-03-13 07:46:47.089803959 +0100
@@ -2191,7 +2191,7 @@ void Table_triggers_list::mark_fields_us
void Table_triggers_list::set_parse_error_message(char *error_message)
{
m_has_unparseable_trigger= true;
- strcpy(m_parse_error_message, error_message);
+ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
}
mysql-coverity3.patch:
diff -up mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc.coverity3 mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc
--- mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc.coverity3 2012-03-13 07:50:37.669438554 +0100
+++ mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc 2012-03-13 07:51:16.269326579 +0100
@@ -6541,7 +6541,7 @@ ha_innobase::create(
DBUG_RETURN(HA_ERR_TO_BIG_ROW);
}
- strcpy(name2, name);
+ strncpy(name2, name, sizeof(name2)-1);
normalize_table_name(norm_name, name2);
Description: MySQL-5.1.61 has been scanned using Coverity static analysis tool and these are some of the issues, that I find worth fixing (same issues can be find in the 5.5. version as well and some of them are new comparing to 5.1.52): * fix in coverity1.patch: Error: BUFFER_SIZE_WARNING: /builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated. * Error: MISSING_BREAK: /builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6672: unterminated_case: This case (value 6) is not terminated by a 'break' statement. /builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6677: fallthrough: The above case falls through to this one. * Error: OVERRUN_STATIC: /builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/os/os0file.c:3108: overrun-local: Overrunning static array "srv_io_thread_function", with 100 elements, at position 129 with index variable "i". * fix in coverity2.patch: Error: STRING_OVERFLOW: /builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length. /builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. * fix in coverity3.patch: Error: STRING_OVERFLOW: /builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length. /builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. * Error: USE_AFTER_FREE: /builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13470: alias: Assigning: "save_quick" = "select->quick". Now both point to the same storage. /builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13921: freed_arg: "operator delete(void *)" frees "select->quick". /builddir/build/BUILD/mysql-5.1.61/sql/sql_select.cc:13922: use_after_free: Using freed pointer "save_quick". How to repeat: Just see the code. Suggested fix: mysql-coverity1.patch: diff -up mysql-5.1.61/sql/sql_prepare.cc.coverity1 mysql-5.1.61/sql/sql_prepare.cc --- mysql-5.1.61/sql/sql_prepare.cc.coverity1 2012-03-12 12:48:43.252708700 +0100 +++ mysql-5.1.61/sql/sql_prepare.cc 2012-03-12 12:48:50.365250394 +0100 @@ -2746,7 +2746,7 @@ public: { stmt->state= Query_arena::ERROR; stmt->last_errno= sql_errno; - strncpy(stmt->last_error, message, MYSQL_ERRMSG_SIZE); + strncpy(stmt->last_error, message, sizeof(stmt->last_error)-1); return TRUE; } mysql-coverity2.patch: diff -up mysql-5.1.61/sql/sql_trigger.cc.coverity2 mysql-5.1.61/sql/sql_trigger.cc --- mysql-5.1.61/sql/sql_trigger.cc.coverity2 2012-03-13 07:45:56.346793667 +0100 +++ mysql-5.1.61/sql/sql_trigger.cc 2012-03-13 07:46:47.089803959 +0100 @@ -2191,7 +2191,7 @@ void Table_triggers_list::mark_fields_us void Table_triggers_list::set_parse_error_message(char *error_message) { m_has_unparseable_trigger= true; - strcpy(m_parse_error_message, error_message); + strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1); } mysql-coverity3.patch: diff -up mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc.coverity3 mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc --- mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc.coverity3 2012-03-13 07:50:37.669438554 +0100 +++ mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc 2012-03-13 07:51:16.269326579 +0100 @@ -6541,7 +6541,7 @@ ha_innobase::create( DBUG_RETURN(HA_ERR_TO_BIG_ROW); } - strcpy(name2, name); + strncpy(name2, name, sizeof(name2)-1); normalize_table_name(norm_name, name2);