[mysql] Fix several strcpy calls to check destination size

Jan Horak hhorak at fedoraproject.org
Tue Mar 13 17:15:24 UTC 2012 

commit 2a2ffdf4aa5de1b28aca2cadad36d06257ab7116
Author: Honza HorĂ¡k <hhorak at redhat.com>
Date:   Tue Mar 13 18:05:56 2012 +0100

    Fix several strcpy calls to check destination size

 mysql-string-overflow.patch |   52 +++++++++++++++++++++++++++++++++++++++++++
 mysql.spec                  |    3 ++
 2 files changed, 55 insertions(+), 0 deletions(-)
---
diff --git a/mysql-string-overflow.patch b/mysql-string-overflow.patch
new file mode 100644
index 0000000..80cf5bc
--- /dev/null
+++ b/mysql-string-overflow.patch
@@ -0,0 +1,52 @@
+These issues were found by Coverity static analysis tool, for more info 
+see messages by particular fixes (messages belong to 5.1.61).
+
+Error: BUFFER_SIZE_WARNING:
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_prepare.cc:2749: buffer_size_warning: Calling strncpy with a maximum size argument of 512 bytes on destination array "this->stmt->last_error" of size 512 bytes might leave the destination string unterminated.
+
+diff -up mysql-5.5.21/sql/sql_prepare.cc.coverity mysql-5.5.21/sql/sql_prepare.cc
+--- mysql-5.5.21/sql/sql_prepare.cc.coverity	2012-03-13 17:24:40.493658626 +0100
++++ mysql-5.5.21/sql/sql_prepare.cc	2012-03-13 17:25:14.574338307 +0100
+@@ -2863,7 +2863,7 @@ void mysql_stmt_get_longdata(THD *thd, c
+   {
+     stmt->state= Query_arena::STMT_ERROR;
+     stmt->last_errno= thd->stmt_da->sql_errno();
+-    strncpy(stmt->last_error, thd->stmt_da->message(), MYSQL_ERRMSG_SIZE);
++    strncpy(stmt->last_error, thd->stmt_da->message(), sizeof(stmt->last_error)-1);
+   }
+   thd->stmt_da= save_stmt_da;
+   thd->warning_info= save_warinig_info;
+
+
+Error: STRING_OVERFLOW:
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: fixed_size_dest: You might overrun the 512 byte fixed-size string "this->m_parse_error_message" by copying "error_message" without checking the length.
+/builddir/build/BUILD/mysql-5.1.61/sql/sql_trigger.cc:2194: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
+
+diff -up mysql-5.5.21/sql/sql_trigger.cc.coverity mysql-5.5.21/sql/sql_trigger.cc
+--- mysql-5.5.21/sql/sql_trigger.cc.coverity	2012-03-13 17:25:50.781985493 +0100
++++ mysql-5.5.21/sql/sql_trigger.cc	2012-03-13 17:27:04.589225626 +0100
+@@ -2260,7 +2260,7 @@ void Table_triggers_list::mark_fields_us
+ void Table_triggers_list::set_parse_error_message(char *error_message)
+ {
+   m_has_unparseable_trigger= true;
+-  strcpy(m_parse_error_message, error_message);
++  strncpy(m_parse_error_message, error_message, sizeof(m_parse_error_message)-1);
+ }
+ 
+
+Error: STRING_OVERFLOW:
+/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: fixed_size_dest: You might overrun the 512 byte fixed-size string "name2" by copying "name" without checking the length.
+/builddir/build/BUILD/mysql-5.1.61/storage/innodb_plugin/handler/ha_innodb.cc:6544: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
+
+diff -up mysql-5.5.21/storage/innobase/handler/ha_innodb.cc.coverity mysql-5.5.21/storage/innobase/handler/ha_innodb.cc
+--- mysql-5.5.21/storage/innobase/handler/ha_innodb.cc.coverity	2012-03-13 17:28:52.982738150 +0100
++++ mysql-5.5.21/storage/innobase/handler/ha_innodb.cc	2012-03-13 17:29:14.952427553 +0100
+@@ -6926,7 +6926,7 @@ ha_innobase::create(
+ 		DBUG_RETURN(HA_ERR_TO_BIG_ROW);
+ 	}
+ 
+-	strcpy(name2, name);
++	strncpy(name2, name, sizeof(name2)-1);
+ 
+ 	normalize_table_name(norm_name, name2);
+ 
diff --git a/mysql.spec b/mysql.spec
index c93c3ba..47a7024 100644
--- a/mysql.spec
+++ b/mysql.spec
@@ -56,6 +56,7 @@ Patch16: mysql-logrotate.patch
 Patch17: mysql-plugin-test.patch
 Patch18: mysql-cipherspec.patch
 Patch19: mysql-file-contents.patch
+Patch20: mysql-string-overflow.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: perl, readline-devel, openssl-devel
@@ -211,6 +212,7 @@ the MySQL sources.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
 
 # workaround for upstream bug #56342
 rm -f mysql-test/t/ssl_8k_key-master.opt
@@ -694,6 +696,7 @@ fi
 * Tue Mar 13 2012 Honza Horak <hhorak at redhat.com> 5.5.21-2
 - Fix ssl-related tests to specify expected cipher explicitly
 Related: #789600
+- Fix several strcpy calls to check destination size
 
 * Mon Feb 27 2012 Tom Lane <tgl at redhat.com> 5.5.21-1
 - Update to MySQL 5.5.21, for various fixes described at

More information about the scm-commits mailing list