Description:
See suggested fix to learn the context.
Since strncpy doesn't add zero in the end of the destination string, the
strncpy created unterminated string. Such unterminated string led to seeking
for ':' by strchr behind initialized part of buffer array. If there was ':'
character before '\0', we could get into troubles, because option_ptr variable
would become bigger than retstr variable, thus (retstr - option_ptr) would
be negative number and thus (size_t)(retstr - option_ptr) would become about
4G. In the end we could (and really did) see error like this:
mysqlslap: Out of memory (Needed 4294967236 bytes)
How to repeat:
I was lucky to reproduce with:
$> mysqlslap --engine="heap,myisam"
But since it is depended on how the uninitilized memory looks, it is not possible to reproduce everytime.
Suggested fix:
diff -up mysql-5.6.26/client/mysqlslap.c.orig mysql-5.6.26/client/mysqlslap.c
--- mysql-5.6.26/client/mysqlslap.c.orig 2015-08-12 16:41:28.177968824 +0200
+++ mysql-5.6.26/client/mysqlslap.c 2015-08-12 16:41:18.856967484 +0200
@@ -2020,11 +2020,12 @@ parse_option(const char *origin, option_
Return an error if the length of the any of the comma seprated value
exceeds HUGE_STRING_LENGTH.
*/
- if ((size_t)(retstr - ptr) > HUGE_STRING_LENGTH)
+ if ((size_t)(retstr - ptr) >= HUGE_STRING_LENGTH)
return -1;
count++;
strncpy(buffer, ptr, (size_t)(retstr - ptr));
+ buffer[(size_t)(retstr - ptr)] = '\0';
if ((buffer_ptr= strchr(buffer, ':')))
{
char *option_ptr;