1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
# Description: arbitrary code execution via crafted table name argument
4
# Origin: backport, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/1810.3987.13
5
# Bug: http://bugs.mysql.com/bug.php?id=53237
6
# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582526
9
diff -urNad mysql-dfsg-5.1-5.1.41~/sql/sql_parse.cc mysql-dfsg-5.1-5.1.41/sql/sql_parse.cc
10
--- mysql-dfsg-5.1-5.1.41~/sql/sql_parse.cc 2009-11-04 13:31:05.000000000 -0500
11
+++ mysql-dfsg-5.1-5.1.41/sql/sql_parse.cc 2010-05-21 14:58:25.000000000 -0400
12
@@ -1298,8 +1298,16 @@
13
We have name + wildcard in packet, separated by endzero
15
arg_end= strend(packet);
16
+ uint arg_length= arg_end - packet;
18
+ /* Check given table name length. */
19
+ if (arg_length >= packet_length || arg_length > NAME_LEN)
21
+ my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
24
thd->convert_string(&conv_name, system_charset_info,
25
- packet, (uint) (arg_end - packet), thd->charset());
26
+ packet, arg_length, thd->charset());
27
table_list.alias= table_list.table_name= conv_name.str;