Bug #65682 Call to SQLColumns with table name > approx 20 chars causes apps to bomb
Submitted: 20 Jun 2012 9:16 Modified: 26 Jun 2012 5:24
Reporter: Neil Manning Email Updates:
Status: Duplicate Impact on me:
None 
Category:Connector / ODBC Severity:S1 (Critical)
Version:5.1.11 OS:Windows (32-bit)
Assigned to: CPU Architecture:Any

[20 Jun 2012 9:16] Neil Manning 
Description:
Both our product and JRE (running a different application to our product) would both bomb out catastrophically when making the following call: SQLColumns(Handle, NULL, 0, NULL, 0, TableName, TableNameLength, 0, 0) through the MySQL ODBC Connector v5.1.11.
It would succeed for the table "resource_header" but fail for the table "ps_ws_method_bindings".
I compiled the connector in Debug mode and found that it was hitting an assert at line 219 of catalog.c as a result of a buffer overrun.
Notice line 155 contains the comment: @todo: determine real size for buffer.

How to repeat:
From Visual C++ make the call:
SQLColumns(Handle, NULL, 0, NULL, 0, TableName, TableNameLength, 0, 0)
with TableName equal to "ps_ws_method_bindings"

Suggested fix:
Either:
  change buf[255] to buf[511] on line 156 (i.e. double the size of the buffer)
or
  change the strmov on line 159 and remove the excess white space resulting from the string having been defined over multiple lines.
or
  use a dynamically sizing buffer
[20 Jun 2012 10:06] Bogdan Degtyariov 
Thanks for spotting this problem.
We already noticed the same issue for SQLTables() and patches for other catalog functions including SQLColumns() are on their way.
[26 Jun 2012 5:24] Bogdan Degtyariov 
Duplicate of bug #65200