Bug #81626 | A buffer overflow occurs when an attacker sent large data to split() function | ||
---|---|---|---|
Submitted: | 27 May 2016 12:03 | Modified: | 17 Jun 2016 18:07 |
Reporter: | Emin Ghuliev | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Command-line Clients | Severity: | S2 (Serious) |
Version: | 5.7.11 | OS: | Linux |
Assigned to: | CPU Architecture: | Any |
[27 May 2016 12:03]
Emin Ghuliev
[28 May 2016 8:43]
Emin Ghuliev
This bug related to "strcpy" function in the regex/split.c file second parameter didn't valid checks. if (argc > 4) for (n = atoi(argv[3]); n > 0; n--) { (void) strcpy(buf, argv[1]); //<==== argv[1] }
[30 May 2016 14:57]
Emin Ghuliev
subject changed
[17 Jun 2016 18:07]
Paul DuBois
Posted by developer: Noted in 5.5.31, 5.6.32, 5.7.14 changelogs. A buffer overflow in the regex library was fixed.