diff options
author | Remi Collet <fedora@famillecollet.com> | 2013-02-13 10:10:07 +0100 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2013-02-13 10:10:07 +0100 |
commit | e68a21750a6e17015341329e50f12726177358d0 (patch) | |
tree | 5887108896073d631c36ffc400a1db5eeaef2f19 /mysql-string-overflow.patch | |
parent | 2f57d8a449a2177cdb6098e738dbb595ad41cb70 (diff) |
mysql 5.6, first work
Diffstat (limited to 'mysql-string-overflow.patch')
-rw-r--r-- | mysql-string-overflow.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/mysql-string-overflow.patch b/mysql-string-overflow.patch new file mode 100644 index 0000000..eaa40f6 --- /dev/null +++ b/mysql-string-overflow.patch @@ -0,0 +1,57 @@ +These issues were found by Coverity static analysis tool, for more info +see messages by particular fixes (messages belong to 5.1.61). + +Filed upstream at http://bugs.mysql.com/bug.php?id=64631 + + +Error: BUFFER_SIZE_WARNING: +/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated. + +diff -up mysql-5.5.28/sql/sql_prepare.cc.p20 mysql-5.5.28/sql/sql_prepare.cc +--- mysql-5.5.28/sql/sql_prepare.cc.p20 2012-08-29 10:50:46.000000000 +0200 ++++ mysql-5.5.28/sql/sql_prepare.cc 2012-12-06 14:27:28.647087401 +0100 +@@ -2879,7 +2879,7 @@ void mysql_stmt_get_longdata(THD *thd, c + { + stmt->state= Query_arena::STMT_ERROR; + stmt->last_errno= thd->stmt_da->sql_errno(); +- strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE); ++ strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1); + } + thd->stmt_da= save_stmt_da; + thd->warning_info= save_warinig_info; + + +Error: STRING_OVERFLOW: +/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length. +/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. + +diff -up mysql-5.5.28/sql/sql_trigger.cc.p20 mysql-5.5.28/sql/sql_trigger.cc +--- mysql-5.5.28/sql/sql_trigger.cc.p20 2012-08-29 10:50:46.000000000 +0200 ++++ mysql-5.5.28/sql/sql_trigger.cc 2012-12-06 14:27:28.648087398 +0100 +@@ -2260,7 +2260,7 @@ void Table_triggers_list::mark_fields_us + void Table_triggers_list::set_parse_error_message(char *error_message) + { + m_has_unparseable_trigger= true; +- strcpy(m_parse_error_message, error_message); ++ strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1); + } + + + + +Error: STRING_OVERFLOW: +/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length. +/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. + +diff -up mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 mysql-5.5.28/storage/innobase/handler/ha_innodb.cc +--- mysql-5.5.28/storage/innobase/handler/ha_innodb.cc.p20 2012-08-29 10:50:46.000000000 +0200 ++++ mysql-5.5.28/storage/innobase/handler/ha_innodb.cc 2012-12-06 14:27:28.653087416 +0100 +@@ -7054,7 +7054,7 @@ ha_innobase::create( + + ut_a(strlen(name) < sizeof(name2)); + +- strcpy(name2, name); ++ strncpy(name2, name, sizeof(name2)-1); + + normalize_table_name(norm_name, name2); + |