From 5bb74e6562f02e604d7f46ada6cd48b1e81ec380 Mon Sep 17 00:00:00 2001 From: Andrey Hristov Date: Tue, 27 Apr 2010 08:26:24 +0000 Subject: [PATCH] Fixed buffer overflow in mysqlnd_change_user --- NEWS | 3 ++- ext/mysqlnd/mysqlnd.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 9e46316cb5..b3a228fd82 100644 --- a/NEWS +++ b/NEWS @@ -16,7 +16,8 @@ PHP NEWS - Implemented FR#35638 (Adding udate to imap_fetch_overview results). (Charles_Duffy at dell dot com ) -- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey) +- Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user + (Andrey) - Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia) diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c index df400f1e5e..bae82d4849 100644 --- a/ext/mysqlnd/mysqlnd.c +++ b/ext/mysqlnd/mysqlnd.c @@ -1782,7 +1782,7 @@ MYSQLND_METHOD(mysqlnd_conn, change_user)(MYSQLND * const conn, /* User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3 Stack space is not that expensive, so use a bit more to be protected against - stack overrungs. + buffer overflows. */ size_t user_len; enum_func_status ret; @@ -1805,7 +1805,7 @@ MYSQLND_METHOD(mysqlnd_conn, change_user)(MYSQLND * const conn, } /* 1. user ASCIIZ */ - user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN); + user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN); memcpy(p, user, user_len); p += user_len; *p++ = '\0'; @@ -1821,8 +1821,8 @@ MYSQLND_METHOD(mysqlnd_conn, change_user)(MYSQLND * const conn, /* 3. db ASCIIZ */ if (db[0]) { - size_t db_len = strlen(db); - memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN)); + size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN); + memcpy(p, db, db_len); p += db_len; } *p++ = '\0'; -- 2.40.0