Re: [Maria-developers] [patch 11/11] Fix passing too large buffer size to String() constructor, causing overflow by 1 byte

Hi!

...

...

...

...

"knielsen" == knielsen writes:

knielsen> In set_var.cc, several methods construct a String object passing too knielsen> large lenght for given buffer. The String class assumes 1 more byte is knielsen> available after the given length for zero termination in knielsen> String::c_ptr(). knielsen> Fix by passing proper lenght in constructor call. <cut> ok above. knielsen> Index: work-5.1-buildbot/sql/sql_string.h knielsen> =================================================================== knielsen> --- work-5.1-buildbot.orig/sql/sql_string.h 2009-04-08 00:35:38.000000000 +0200 knielsen> +++ work-5.1-buildbot/sql/sql_string.h 2009-04-08 00:35:43.000000000 +0200 knielsen> @@ -63,6 +63,10 @@ public: knielsen> Ptr=(char*) str; str_length=(uint) strlen(str); Alloced_length=0; alloced=0; knielsen> str_charset=cs; knielsen> } knielsen> + /* knielsen> + NOTE: the following two contructors needs the size of memory for STR to be knielsen> + at least LEN+1 (to make room for zero termination in c_ptr()). Add: If one intend to use the c_ptr() method. knielsen> + */ knielsen> String(const char *str,uint32 len, CHARSET_INFO *cs) knielsen> { knielsen> Ptr=(char*) str; str_length=len; Alloced_length=0; alloced=0; Regards, Monty