Bug #67386 Buffer overflow when printing a large 64-bit integer with my_b_vprintf()
Submitted: 26 Oct 2012 14:45 Modified: 1 Oct 2013 18:33
Reporter: Alexey Kopytov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S3 (Non-critical)
Version:5.1, 5.5, 5.6 OS:Any
Assigned to: CPU Architecture:Any

[26 Oct 2012 14:45] Alexey Kopytov
Description:
my_b_vprintf() allocates a buffer of 17 bytes on stack when printing long integers. However, on a 64-bit machine the largest decimal representation of 'long' is 20 characters (excluding the terminating zero). Which means the buffer is overrun in this case.

This has been fixed in 5.6 with the following revision: http://bazaar.launchpad.net/~mysql/mysql-server/5.6/revision/2876.295.40

5.5 and earlier versions are still affected.

How to repeat:
Call my_b_vprintf(..., "%lu", 18446744073709551614), for example.
[28 Jan 2013 17:54] Sinisa Milivojevic
Should be fixed in 5.5.
[5 Jun 2013 13:37] Sinisa Milivojevic
Kaamos, 

This bug should be fixed in 5.6.12.

Can you check it out ????
[11 Jun 2013 6:08] Alexey Kopytov
Sinisa,

As my original report says, the bug was fixed in 5.6 long before 5.6.12. But 5.1.70 and 5.5.32 (i.e. the current LP branches) are still affected.
[18 Jun 2013 16:15] Sinisa Milivojevic
Bug is fixed in 5.6, but should be fixed in 5.1 and 5.5 too ...
[1 Oct 2013 18:33] Paul Dubois
Noted in 5.1.73, 5.5.35 changelogs.

The my_b_vprintf() function could produce incorrect results for long
integers on 64-bit systems.
[5 Dec 2013 6:36] Laurynas Biveinis
5.1$ bzr log -r 4046
------------------------------------------------------------
revno: 4046
committer: mithun <mithun.c.y@oracle.com>
branch nick: mysql-5.1
timestamp: Tue 2013-09-10 15:32:27 +0530
message:
  Bug #16978278 : BUFFER OVERFLOW WHEN PRINTING A LARGE 64-BIT INTEGER
                  WITH MY_B_VPRINTF()
  Issue         : In LP 64 machine max long value can be 20 digit
                  decimal value. But in my_b_vprintf() the intermediate
                  buffer storage used is 17 bytes length. This will lead to
                  buffer overflow.
  Solution      : Increased the buffer storage from 17 to 32 bytes.
                  code is backported from 5.6