Percona Server moved to https://jira.percona.com/projects/PS

Buffer overflow when printing a large 64-bit integer with my_b_vprintf()

  1. Series 5.1
  2. Bug #1071775
Bug #1071775 reported by Alexey Kopytov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Unassigned
5.1
Fix Released
High
Unassigned
Percona Server moved to https://jira.percona.com/projects/PS 5.1.73-14.11
5.5
Fix Released
High
Unassigned
Percona Server moved to https://jira.percona.com/projects/PS 5.5.35-33.0
5.6
Invalid
Undecided
Unassigned

Bug Description

my_b_vprintf() allocates a buffer of 17 bytes on stack when printing long integers. However, on a 64-bit machine the largest decimal representation of 'long' is 20 characters (excluding the terminating zero). Which means the buffer is overrun in this case.

This has been fixed in 5.6 with the following revision: http://bazaar.launchpad.net/~mysql/mysql-server/5.6/revision/2876.295.40

5.5 and earlier versions are still affected.

How to repeat:
Call my_b_vprintf(..., "%lu", 18446744073709551614), for example.

Tags: upstream

Related branches

lp:~laurynas-biveinis/percona-server/merge-5.1.73
Stewart Smith (community): Approve
Registry Administrators: Pending requested
Diff: 2708 lines (+834/-203)
100 files modified
Makefile (+1/-1)
Percona-Server/configure.in (+1/-1)
Percona-Server/man/comp_err.1 (+2/-2)
Percona-Server/man/innochecksum.1 (+2/-2)
Percona-Server/man/make_win_bin_dist.1 (+2/-2)
Percona-Server/man/msql2mysql.1 (+2/-2)
Percona-Server/man/my_print_defaults.1 (+2/-2)
Percona-Server/man/myisam_ftdump.1 (+2/-2)
Percona-Server/man/myisamchk.1 (+4/-3)
Percona-Server/man/myisamlog.1 (+2/-2)
Percona-Server/man/myisampack.1 (+2/-2)
Percona-Server/man/mysql-stress-test.pl.1 (+2/-2)
Percona-Server/man/mysql-test-run.pl.1 (+2/-2)
Percona-Server/man/mysql.1 (+2/-2)
Percona-Server/man/mysql.server.1 (+2/-2)
Percona-Server/man/mysql_client_test.1 (+2/-2)
Percona-Server/man/mysql_config.1 (+2/-2)
Percona-Server/man/mysql_convert_table_format.1 (+2/-2)
Percona-Server/man/mysql_find_rows.1 (+2/-2)
Percona-Server/man/mysql_fix_extensions.1 (+2/-2)
Percona-Server/man/mysql_fix_privilege_tables.1 (+2/-2)
Percona-Server/man/mysql_install_db.1 (+2/-2)
Percona-Server/man/mysql_secure_installation.1 (+3/-3)
Percona-Server/man/mysql_setpermission.1 (+2/-2)
Percona-Server/man/mysql_tzinfo_to_sql.1 (+2/-2)
Percona-Server/man/mysql_upgrade.1 (+2/-2)
Percona-Server/man/mysql_waitpid.1 (+2/-2)
Percona-Server/man/mysql_zap.1 (+2/-2)
Percona-Server/man/mysqlaccess.1 (+2/-2)
Percona-Server/man/mysqladmin.1 (+2/-2)
Percona-Server/man/mysqlbinlog.1 (+2/-2)
Percona-Server/man/mysqlbug.1 (+2/-2)
Percona-Server/man/mysqlcheck.1 (+2/-2)
Percona-Server/man/mysqld.8 (+2/-2)
Percona-Server/man/mysqld_multi.1 (+2/-2)
Percona-Server/man/mysqld_safe.1 (+2/-2)
Percona-Server/man/mysqldump.1 (+2/-2)
Percona-Server/man/mysqldumpslow.1 (+2/-2)
Percona-Server/man/mysqlhotcopy.1 (+2/-2)
Percona-Server/man/mysqlimport.1 (+2/-2)
Percona-Server/man/mysqlmanager.8 (+2/-2)
Percona-Server/man/mysqlshow.1 (+2/-2)
Percona-Server/man/mysqlslap.1 (+2/-2)
Percona-Server/man/mysqltest.1 (+2/-2)
Percona-Server/man/ndb-common-options.1 (+2/-2)
Percona-Server/man/ndb_blob_tool.1 (+2/-2)
Percona-Server/man/ndb_config.1 (+3/-3)
Percona-Server/man/ndb_cpcd.1 (+2/-2)
Percona-Server/man/ndb_delete_all.1 (+2/-2)
Percona-Server/man/ndb_desc.1 (+2/-2)
Percona-Server/man/ndb_drop_index.1 (+3/-3)
Percona-Server/man/ndb_drop_table.1 (+2/-2)
Percona-Server/man/ndb_error_reporter.1 (+211/-11)
Percona-Server/man/ndb_index_stat.1 (+2/-2)
Percona-Server/man/ndb_mgm.1 (+2/-2)
Percona-Server/man/ndb_mgmd.8 (+50/-5)
Percona-Server/man/ndb_print_backup_file.1 (+2/-2)
Percona-Server/man/ndb_print_schema_file.1 (+2/-2)
Percona-Server/man/ndb_print_sys_file.1 (+2/-2)
Percona-Server/man/ndb_restore.1 (+7/-5)
Percona-Server/man/ndb_select_all.1 (+2/-2)
Percona-Server/man/ndb_select_count.1 (+2/-2)
Percona-Server/man/ndb_show_tables.1 (+2/-2)
Percona-Server/man/ndb_size.pl.1 (+2/-2)
Percona-Server/man/ndb_waiter.1 (+2/-2)
Percona-Server/man/ndbd.8 (+2/-2)
Percona-Server/man/ndbd_redo_log_reader.1 (+41/-2)
Percona-Server/man/ndbinfo_select_all.1 (+2/-2)
Percona-Server/man/ndbmtd.8 (+3/-3)
Percona-Server/man/perror.1 (+2/-2)
Percona-Server/man/replace.1 (+2/-2)
Percona-Server/man/resolve_stack_dump.1 (+2/-2)
Percona-Server/man/resolveip.1 (+2/-2)
Percona-Server/mysql-test/include/have_innodb_change_buffering.inc (+6/-0)
Percona-Server/mysql-test/include/search_pattern_in_file.inc (+66/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_dump_events_twice_bug.result (+15/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_log_pos.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_lost_events_on_rotate.result (+14/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_dump_events_twice_bug.test (+28/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_log_pos.test (+1/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_lost_events_on_rotate.test (+51/-0)
Percona-Server/mysys/mf_iocache2.c (+2/-2)
Percona-Server/scripts/mysql_system_tables_data.sql (+3/-4)
Percona-Server/scripts/mysql_system_tables_fix.sql (+3/-0)
Percona-Server/sql-common/client.c (+2/-1)
Percona-Server/sql/filesort.cc (+5/-2)
Percona-Server/sql/log_event.cc (+11/-1)
Percona-Server/sql/sql_class.h (+3/-1)
Percona-Server/sql/sql_partition.cc (+2/-0)
Percona-Server/sql/sql_repl.cc (+43/-8)
Percona-Server/storage/innobase/btr/btr0cur.c (+22/-9)
Percona-Server/storage/innobase/handler/ha_innodb.cc (+7/-0)
Percona-Server/storage/innobase/ibuf/ibuf0ibuf.c (+18/-0)
Percona-Server/storage/innobase/include/btr0cur.h (+13/-0)
Percona-Server/storage/innodb_plugin/btr/btr0cur.c (+23/-9)
Percona-Server/storage/innodb_plugin/handler/ha_innodb.cc (+4/-0)
Percona-Server/storage/innodb_plugin/ibuf/ibuf0ibuf.c (+18/-0)
Percona-Server/storage/innodb_plugin/include/btr0cur.h (+16/-1)
Percona-Server/support-files/mysql.spec.sh (+5/-0)
Percona-Server/vio/viosslfactories.c (+1/-1)
lp:~laurynas-biveinis/percona-server/merge-5.5.35
Stewart Smith (community): Approve
Registry Administrators: Pending requested
Diff: 4405 lines (+1328/-467)
158 files modified
Makefile (+1/-1)
Percona-Server/CMakeLists.txt (+80/-2)
Percona-Server/VERSION (+1/-1)
Percona-Server/cmake/os/Linux.cmake (+5/-2)
Percona-Server/configure.cmake (+4/-0)
Percona-Server/extra/yassl/CMakeLists.txt (+5/-0)
Percona-Server/extra/yassl/taocrypt/CMakeLists.txt (+5/-0)
Percona-Server/include/my_check_opt.h (+69/-0)
Percona-Server/include/myisam.h (+1/-46)
Percona-Server/libmysql/CMakeLists.txt (+2/-0)
Percona-Server/libmysql/authentication_win/CMakeLists.txt (+5/-0)
Percona-Server/man/comp_err.1 (+2/-2)
Percona-Server/man/innochecksum.1 (+2/-2)
Percona-Server/man/msql2mysql.1 (+2/-2)
Percona-Server/man/my_print_defaults.1 (+2/-2)
Percona-Server/man/myisam_ftdump.1 (+2/-2)
Percona-Server/man/myisamchk.1 (+4/-3)
Percona-Server/man/myisamlog.1 (+2/-2)
Percona-Server/man/myisampack.1 (+2/-2)
Percona-Server/man/mysql-stress-test.pl.1 (+2/-2)
Percona-Server/man/mysql-test-run.pl.1 (+2/-2)
Percona-Server/man/mysql.1 (+2/-2)
Percona-Server/man/mysql.server.1 (+2/-2)
Percona-Server/man/mysql_client_test.1 (+2/-2)
Percona-Server/man/mysql_config.1 (+2/-2)
Percona-Server/man/mysql_convert_table_format.1 (+2/-2)
Percona-Server/man/mysql_find_rows.1 (+2/-2)
Percona-Server/man/mysql_fix_extensions.1 (+2/-2)
Percona-Server/man/mysql_install_db.1 (+2/-2)
Percona-Server/man/mysql_plugin.1 (+2/-2)
Percona-Server/man/mysql_secure_installation.1 (+3/-3)
Percona-Server/man/mysql_setpermission.1 (+2/-2)
Percona-Server/man/mysql_tzinfo_to_sql.1 (+2/-2)
Percona-Server/man/mysql_upgrade.1 (+2/-2)
Percona-Server/man/mysql_waitpid.1 (+2/-2)
Percona-Server/man/mysql_zap.1 (+2/-2)
Percona-Server/man/mysqlaccess.1 (+2/-2)
Percona-Server/man/mysqladmin.1 (+2/-2)
Percona-Server/man/mysqlbinlog.1 (+2/-2)
Percona-Server/man/mysqlbug.1 (+2/-2)
Percona-Server/man/mysqlcheck.1 (+2/-2)
Percona-Server/man/mysqld.8 (+2/-2)
Percona-Server/man/mysqld_multi.1 (+2/-2)
Percona-Server/man/mysqld_safe.1 (+3/-3)
Percona-Server/man/mysqldump.1 (+3/-9)
Percona-Server/man/mysqldumpslow.1 (+2/-2)
Percona-Server/man/mysqlhotcopy.1 (+2/-2)
Percona-Server/man/mysqlimport.1 (+2/-2)
Percona-Server/man/mysqlshow.1 (+2/-2)
Percona-Server/man/mysqlslap.1 (+2/-2)
Percona-Server/man/mysqltest.1 (+2/-2)
Percona-Server/man/ndb-common-options.1 (+2/-2)
Percona-Server/man/ndb_blob_tool.1 (+2/-2)
Percona-Server/man/ndb_config.1 (+3/-3)
Percona-Server/man/ndb_cpcd.1 (+2/-2)
Percona-Server/man/ndb_delete_all.1 (+2/-2)
Percona-Server/man/ndb_desc.1 (+2/-2)
Percona-Server/man/ndb_drop_index.1 (+3/-3)
Percona-Server/man/ndb_drop_table.1 (+2/-2)
Percona-Server/man/ndb_error_reporter.1 (+209/-9)
Percona-Server/man/ndb_index_stat.1 (+2/-2)
Percona-Server/man/ndb_mgm.1 (+2/-2)
Percona-Server/man/ndb_mgmd.8 (+42/-5)
Percona-Server/man/ndb_print_backup_file.1 (+2/-2)
Percona-Server/man/ndb_print_schema_file.1 (+2/-2)
Percona-Server/man/ndb_print_sys_file.1 (+2/-2)
Percona-Server/man/ndb_restore.1 (+7/-5)
Percona-Server/man/ndb_select_all.1 (+2/-2)
Percona-Server/man/ndb_select_count.1 (+2/-2)
Percona-Server/man/ndb_show_tables.1 (+2/-2)
Percona-Server/man/ndb_size.pl.1 (+2/-2)
Percona-Server/man/ndb_waiter.1 (+2/-2)
Percona-Server/man/ndbd.8 (+2/-2)
Percona-Server/man/ndbd_redo_log_reader.1 (+41/-2)
Percona-Server/man/ndbinfo_select_all.1 (+2/-2)
Percona-Server/man/ndbmtd.8 (+3/-3)
Percona-Server/man/perror.1 (+2/-2)
Percona-Server/man/replace.1 (+2/-2)
Percona-Server/man/resolve_stack_dump.1 (+2/-2)
Percona-Server/man/resolveip.1 (+2/-2)
Percona-Server/mysql-test/collections/default.experimental (+1/-0)
Percona-Server/mysql-test/extra/rpl_tests/rpl_drop_create_temp_table.inc (+7/-3)
Percona-Server/mysql-test/extra/rpl_tests/rpl_innodb.test (+1/-1)
Percona-Server/mysql-test/extra/rpl_tests/rpl_reset_slave.test (+3/-0)
Percona-Server/mysql-test/include/mtr_check.sql (+2/-0)
Percona-Server/mysql-test/include/search_pattern_in_file.inc (+66/-0)
Percona-Server/mysql-test/mysql-test-run.pl (+2/-2)
Percona-Server/mysql-test/r/openssl_1.result (+1/-1)
Percona-Server/mysql-test/suite/innodb/r/innodb_bug13510739.result (+1/-1)
Percona-Server/mysql-test/suite/innodb/t/innodb.test (+0/-6)
Percona-Server/mysql-test/suite/rpl/r/rpl_create_tmp_table_if_not_exists.result (+3/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_lost_events_on_rotate.result (+14/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_mixed_ddl_dml.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_mixed_drop_create_temp_table.result (+6/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_rotate_logs.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_row_drop_create_temp_table.result (+6/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_row_reset_slave.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_stm_000001.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_stm_drop_create_temp_table.result (+6/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_stm_innodb.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/r/rpl_stm_reset_slave.result (+1/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_create_tmp_table_if_not_exists.test (+4/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_lost_events_on_rotate.test (+51/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_mixed_ddl_dml.test (+1/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_rotate_logs.test (+1/-0)
Percona-Server/mysql-test/suite/rpl/t/rpl_stm_000001.test (+1/-1)
Percona-Server/mysql-test/suite/sys_vars/t/identity_func.test (+0/-6)
Percona-Server/mysql-test/suite/sys_vars/t/innodb_autoinc_lock_mode_func.test (+0/-6)
Percona-Server/mysql-test/suite/sys_vars/t/last_insert_id_func.test (+0/-6)
Percona-Server/mysql-test/suite/sys_vars/t/storage_engine_basic.test (+0/-6)
Percona-Server/mysql-test/suite/sys_vars/t/tx_isolation_func.test (+0/-6)
Percona-Server/mysys/CMakeLists.txt (+5/-0)
Percona-Server/mysys/mf_iocache2.c (+2/-2)
Percona-Server/packaging/WiX/mysql_server.wxs.in (+27/-15)
Percona-Server/packaging/rpm-uln/mysql.spec.sh (+6/-1)
Percona-Server/plugin/semisync/semisync_master.cc (+15/-16)
Percona-Server/scripts/CMakeLists.txt (+0/-1)
Percona-Server/scripts/mysql_system_tables_data.sql (+3/-4)
Percona-Server/scripts/mysql_system_tables_fix.sql (+2/-0)
Percona-Server/sql-common/client.c (+1/-0)
Percona-Server/sql/filesort.cc (+8/-3)
Percona-Server/sql/ha_partition.cc (+20/-3)
Percona-Server/sql/ha_partition.h (+2/-1)
Percona-Server/sql/handler.cc (+6/-0)
Percona-Server/sql/item_strfunc.cc (+3/-1)
Percona-Server/sql/item_sum.cc (+6/-2)
Percona-Server/sql/log_event.cc (+0/-1)
Percona-Server/sql/net_serv.cc (+7/-1)
Percona-Server/sql/opt_range.cc (+10/-9)
Percona-Server/sql/set_var.cc (+1/-1)
Percona-Server/sql/set_var.h (+2/-1)
Percona-Server/sql/sql_acl.cc (+4/-2)
Percona-Server/sql/sql_class.h (+3/-1)
Percona-Server/sql/sql_lex.cc (+1/-0)
Percona-Server/sql/sql_partition.cc (+2/-0)
Percona-Server/sql/sql_prepare.cc (+1/-1)
Percona-Server/sql/sys_vars.cc (+7/-3)
Percona-Server/storage/innobase/btr/btr0cur.c (+22/-9)
Percona-Server/storage/innobase/btr/btr0pcur.c (+19/-27)
Percona-Server/storage/innobase/dict/dict0dict.c (+13/-0)
Percona-Server/storage/innobase/fil/fil0fil.c (+1/-1)
Percona-Server/storage/innobase/handler/ha_innodb.cc (+50/-32)
Percona-Server/storage/innobase/ibuf/ibuf0ibuf.c (+24/-5)
Percona-Server/storage/innobase/include/btr0cur.h (+15/-0)
Percona-Server/storage/innobase/include/btr0pcur.h (+24/-20)
Percona-Server/storage/innobase/include/btr0pcur.ic (+2/-2)
Percona-Server/storage/innobase/include/btr0sea.h (+0/-2)
Percona-Server/storage/innobase/include/dict0types.h (+5/-0)
Percona-Server/storage/innobase/include/ibuf0ibuf.h (+0/-5)
Percona-Server/storage/innobase/include/log0log.h (+2/-0)
Percona-Server/storage/innobase/log/log0log.c (+109/-1)
Percona-Server/storage/innobase/row/row0sel.c (+78/-31)
Percona-Server/strings/CMakeLists.txt (+5/-0)
Percona-Server/strings/ctype-win1250ch.c (+1/-1)
Percona-Server/support-files/mysql.spec.sh (+5/-0)
Percona-Server/vio/CMakeLists.txt (+5/-0)
Percona-Server/vio/viosslfactories.c (+1/-1)
Percona-Server/zlib/CMakeLists.txt (+5/-0)
Laurynas Biveinis (laurynas-biveinis)
tags: added: upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Upstream fix in 5.1.73 / 5.5.35.

Laurynas Biveinis (laurynas-biveinis)
Changed in percona-server:
status: Triaged → Fix Released
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-600

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.