Buffer overflow when printing a large 64-bit integer with my_b_vprintf()

Bug #1071775 reported by Alexey Kopytov on 2012-10-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Unassigned
5.1
Fix Released
High
Unassigned
5.5
Fix Released
High
Unassigned
5.6
Invalid
Undecided
Unassigned

Bug Description

my_b_vprintf() allocates a buffer of 17 bytes on stack when printing long integers. However, on a 64-bit machine the largest decimal representation of 'long' is 20 characters (excluding the terminating zero). Which means the buffer is overrun in this case.

This has been fixed in 5.6 with the following revision: http://bazaar.launchpad.net/~mysql/mysql-server/5.6/revision/2876.295.40

5.5 and earlier versions are still affected.

How to repeat:
Call my_b_vprintf(..., "%lu", 18446744073709551614), for example.

Related branches

tags: added: upstream

Upstream fix in 5.1.73 / 5.5.35.

Changed in percona-server:
status: Triaged → Fix Released

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-600

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.