Sophie

Sophie

distrib > Mageia > 3 > i586 > media > core-release-src > by-pkgid > c05d78206daa5de0b42ebaa78271fb20 > files > 4

mariadb-5.5.28-13.mga3.src.rpm

=== added file 'mysql-test/r/grant_lowercase.result'
--- a/mysql-test/r/grant_lowercase.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/grant_lowercase.result	2012-12-04 16:08:02 +0000
@@ -0,0 +1,20 @@
+grant file on *.* to user1@localhost with grant option;
+grant select on `a%`.* to user1@localhost with grant option;
+grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret';
+ERROR 42000: Incorrect database name 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+drop user user1@localhost;
+call mtr.add_suppression("Incorrect database name");
+alter table mysql.host modify Db varchar(200);
+alter table mysql.db modify Db varchar(200);
+insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200));
+Warnings:
+Warning	1265	Data truncated for column 'Db' at row 1
+insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200));
+Warnings:
+Warning	1265	Data truncated for column 'Db' at row 1
+flush privileges;
+delete from mysql.host where db like '=>%';
+delete from mysql.db where db like '=>%';
+alter table mysql.host modify Db char(64);
+alter table mysql.db modify Db char(64);
+flush privileges;

=== added file 'mysql-test/t/grant_lowercase.opt'
--- a/mysql-test/t/grant_lowercase.opt	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/grant_lowercase.opt	2012-12-04 16:08:02 +0000
@@ -0,0 +1,1 @@
+--lower-case-table-names=1

=== added file 'mysql-test/t/grant_lowercase.test'
--- a/mysql-test/t/grant_lowercase.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/grant_lowercase.test	2012-12-04 16:08:02 +0000
@@ -0,0 +1,30 @@
+# test cases for strmov(tmp_db, db) -> strnmov replacement in sql_acl.cc
+
+#
+# http://seclists.org/fulldisclosure/2012/Dec/4
+#
+
+# in acl_get(), check_grant_db(), mysql_grant()
+grant file on *.* to user1@localhost with grant option;
+grant select on `a%`.* to user1@localhost with grant option;
+connect (conn1,localhost,user1,,);
+connection conn1;
+--error ER_WRONG_DB_NAME
+grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret';
+connection default;
+disconnect conn1;
+drop user user1@localhost;
+
+# in acl_load()
+call mtr.add_suppression("Incorrect database name");
+alter table mysql.host modify Db varchar(200);
+alter table mysql.db modify Db varchar(200);
+insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200));
+insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200));
+flush privileges; # shouldn't crash here
+delete from mysql.host where db like '=>%';
+delete from mysql.db where db like '=>%';
+alter table mysql.host modify Db char(64);
+alter table mysql.db modify Db char(64);
+flush privileges;
+

=== modified file 'sql/sql_acl.cc'
--- a/sql/sql_acl.cc	2012-11-12 18:56:51 +0000
+++ b/sql/sql_acl.cc	2012-12-04 16:08:02 +0000
@@ -341,7 +341,12 @@
         convert db to lower case and give a warning if the db wasn't
         already in lower case
       */
-      (void) strmov(tmp_name, host.db);
+      char *end = strnmov(tmp_name, host.db, sizeof(tmp_name));
+      if (end >= tmp_name + sizeof(tmp_name))
+      {
+        sql_print_warning(ER(ER_WRONG_DB_NAME), host.db);
+        continue;
+      }
       my_casedn_str(files_charset_info, host.db);
       if (strcmp(host.db, tmp_name) != 0)
         sql_print_warning("'host' entry '%s|%s' had database in mixed "
@@ -595,7 +600,12 @@
         convert db to lower case and give a warning if the db wasn't
         already in lower case
       */
-      (void)strmov(tmp_name, db.db);
+      char *end = strnmov(tmp_name, db.db, sizeof(tmp_name));
+      if (end >= tmp_name + sizeof(tmp_name))
+      {
+        sql_print_warning(ER(ER_WRONG_DB_NAME), db.db);
+        continue;
+      }
       my_casedn_str(files_charset_info, db.db);
       if (strcmp(db.db, tmp_name) != 0)
       {
@@ -2474,15 +2484,23 @@
                                     const char *user, const char *tname,
                                     bool exact, bool name_tolower)
 {
-  char helping [SAFE_NAME_LEN*2+USERNAME_LENGTH+3], *name_ptr;
+  char helping[SAFE_NAME_LEN*2+USERNAME_LENGTH+3];
+  char *hend = helping + sizeof(helping);
   uint len;
   GRANT_NAME *grant_name,*found=0;
   HASH_SEARCH_STATE state;
 
-  name_ptr= strmov(strmov(helping, user) + 1, db) + 1;
-  len  = (uint) (strmov(name_ptr, tname) - helping) + 1;
+  char *db_ptr= strmov(helping, user) + 1;
+  char *tname_ptr= strnmov(db_ptr, db, hend - db_ptr) + 1;
+  if (tname_ptr > hend)
+    return 0; // invalid name = not found
+  char *end= strnmov(tname_ptr, tname, hend - tname_ptr) + 1;
+  if (end > hend)
+    return 0; // invalid name = not found
+
+  len  = (uint) (end - helping);
   if (name_tolower)
-    my_casedn_str(files_charset_info, name_ptr);
+    my_casedn_str(files_charset_info, tname_ptr);
   for (grant_name= (GRANT_NAME*) my_hash_first(name_hash, (uchar*) helping,
                                                len, &state);
        grant_name ;
@@ -3466,7 +3484,12 @@
 
   if (lower_case_table_names && db)
   {
-    strmov(tmp_db,db);
+    char *end= strnmov(tmp_db,db, sizeof(tmp_db));
+    if (end >= tmp_db + sizeof(tmp_db))
+    {
+      my_error(ER_WRONG_DB_NAME ,MYF(0), db);
+      DBUG_RETURN(TRUE);
+    }
     my_casedn_str(files_charset_info, tmp_db);
     db=tmp_db;
   }

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional