| Bug #89413 | Incorrect sprintf buffer size in sp_head::show_routine_code | ||
|---|---|---|---|
| Submitted: | 25 Jan 2018 15:15 | Modified: | 7 Feb 2018 15:37 |
| Reporter: | Zsolt Parragi (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server | Severity: | S3 (Non-critical) |
| Version: | 5.5, 5.6, 5.7 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[6 Feb 2018 18:11]
MySQL Verification Team
Hi Zsolt,
Tell me, why the code should not be like this:
const char format[] = "Instruction at position %u has m_ip=%u";
char tmp[strlen(format) + 2 * sizeof(uint) + 1];
snprintf(tmp, sizeof(tmp), format, ip, i->get_ip());
[6 Feb 2018 18:43]
MySQL Verification Team
See the fix: https://github.com/mysql/mysql-server/commit/add5c9016af30d521292ffe65b301397ef0f38bb
[7 Feb 2018 13:01]
MySQL Verification Team
Hi Zsolt, This bug is thoroughly fixed in 8.0+. We shall inquire whether the patch can be ported back to previous versions. We shall let you know when we find out.
[7 Feb 2018 15:37]
MySQL Verification Team
Hi! That patch that was pushed into 8.0 is now pushed into 5.7 version, so it should be available in the next release. There will be no changes in 5.5 and 5.6 due to the risk and due to the compilers that are used for those versions. Thank you.
Description: The function contains the following code: const char *format= "Instruction at position %u has m_ip=%u"; char tmp[sizeof(format) + 2 * sizeof(uint) + 1]; sprintf(tmp, format, ip, i->get_ip()); Where sizeof(format) is the size of a pointer, less than the length of the string. This code snippet should be: const char format[] = "Instruction at position %u has m_ip=%u"; char tmp[sizeof(format) + 2 * sizeof(uint) + 1]; snprintf(tmp, sizeof(tmp), format, ip, i->get_ip()); How to repeat: The issue is reported as a warning by gcc 7