Bug #27231: Server crash when dumping into outfile with long FIELDS ENCLOSED BY option

- Problem: data separators were copied to a fixed-size buffer on the stack; memcpy was used, without bounds checking; a server crash could result if long FIELDS ENCLOSED BY, etc., was given - Fix: write the separators directly, instead of copying to a buffer first (in select_export::send_data()) sql/sql_class.cc: In select_export::send_data(), write data separators directly, instead of copying into a fixed-size memory buffer before writing. This avoids a buffer overflow when very large separators are specified.
19 years ago · d59272fb3d
1 changed files with 6 additions and 8 deletions
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@ -1048,7 +1048,6 @@ bool select_export::send_data(List<Item> &items)
  }
  row_count++;
  Item *item;
-  char *buff_ptr=buff;
  uint used_length=0,items_left=items.elements;
  List_iterator_fast<Item> li(items);

@ -1148,19 +1147,18 @@ bool select_export::send_data(List<Item> &items)
 	  goto err;
      }
    }
-    buff_ptr=buff;				// Place separators here
    if (res && (!exchange->opt_enclosed || result_type == STRING_RESULT))
    {
-      memcpy(buff_ptr,exchange->enclosed->ptr(),exchange->enclosed->length());
-      buff_ptr+=exchange->enclosed->length();
+      if (my_b_write(&cache, (byte*) exchange->enclosed->ptr(),
+                     exchange->enclosed->length()))
+        goto err;
    }
    if (--items_left)
    {
-      memcpy(buff_ptr,exchange->field_term->ptr(),field_term_length);
-      buff_ptr+=field_term_length;
+      if (my_b_write(&cache, (byte*) exchange->field_term->ptr(),
+                     field_term_length))
+        goto err;
    }
-    if (my_b_write(&cache,(byte*) buff,(uint) (buff_ptr-buff)))
-      goto err;
  }
  if (my_b_write(&cache,(byte*) exchange->line_term->ptr(),
 		 exchange->line_term->length()))