MDEV-35299

client/mysqladmin.cc

@@ -670,7 +670,7 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
       }
       if (maybe_disable_binlog(mysql))
         return -1;
-      sprintf(buff,"create database `%.*s`",FN_REFLEN,argv[1]);
+      snprintf(buff, sizeof(buff), "create database `%.*s`",FN_REFLEN,argv[1]);
       if (mysql_query(mysql,buff))
       {
 	my_printf_error(0,"CREATE DATABASE failed; error: '%-.200s'",
@@ -711,7 +711,7 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
 
       if (opt_shutdown_wait_for_slaves)
       {
-        sprintf(buff, "SHUTDOWN WAIT FOR ALL SLAVES");
+        snprintf(buff, sizeof(buff), "SHUTDOWN WAIT FOR ALL SLAVES");
         if (mysql_query(mysql, buff))
         {
           my_printf_error(0, "%s failed; error: '%-.200s'",
@@ -1192,13 +1192,14 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
           }
         }
         if (old)
-          my_make_scrambled_password_323(crypted_pw, typed_password, strlen(typed_password));
+          my_make_scrambled_password_323(crypted_pw, sizeof(crypted_pw),
+                                         typed_password, strlen(typed_password));
         else
           my_make_scrambled_password(crypted_pw, typed_password, strlen(typed_password));
       }
       else
 	crypted_pw[0]=0;			/* No password */
-      sprintf(buff,"set password='%s',sql_log_off=0",crypted_pw);
+      snprintf(buff,sizeof(buff),"set password='%s',sql_log_off=0",crypted_pw);
 
       if (mysql_query(mysql,"set sql_log_off=1"))
       {
@@ -1449,7 +1450,7 @@ static int drop_db(MYSQL *mysql, const char *db)
       return -1;
     }
   }
-  sprintf(name_buff,"drop database `%.*s`",FN_REFLEN,db);
+  snprintf(name_buff,sizeof(name_buff),"drop database `%.*s`",FN_REFLEN,db);
   if (mysql_query(mysql,name_buff))
   {
     my_printf_error(0, "DROP DATABASE %s failed;\nerror: '%s'", error_flags,

client/mysqlbinlog.cc

@@ -298,13 +298,15 @@ class Load_log_processor
     @retval -1 Error (can't find new filename).
     @retval >=0 Found file.
   */
-  File create_unique_file(char *filename, char *file_name_end)
+  File create_unique_file(char *filename, char *file_name_end,
+                          size_t file_name_left_space)
     {
       File res;
       /* If we have to try more than 1000 times, something is seriously wrong */
       for (uint version= 0; version<1000; version++)
       {
-	sprintf(file_name_end,"-%x",version);
+        snprintf(file_name_end, file_name_left_space, "-%x", version);
+
 	if ((res= my_create(filename,0,
 			    O_CREAT|O_EXCL|O_BINARY|O_WRONLY,MYF(0)))!=-1)
 	  return res;
@@ -411,7 +413,8 @@ class Load_log_processor
   Exit_status process(Create_file_log_event *ce);
   Exit_status process(Begin_load_query_log_event *ce);
   Exit_status process(Append_block_log_event *ae);
-  File prepare_new_file_for_old_format(Load_log_event *le, char *filename);
+  File prepare_new_file_for_old_format(Load_log_event *le, char *filename,
+                                       size_t fname_buf_sz);
   Exit_status load_old_format_file(NET* net, const char *server_fname,
                                    uint server_fname_len, File file);
   Exit_status process_first_event(const char *bname, size_t blen,
@@ -432,7 +435,8 @@ class Load_log_processor
   @return File handle >= 0 on success, -1 on error.
 */
 File Load_log_processor::prepare_new_file_for_old_format(Load_log_event *le,
-							 char *filename)
+                                                         char *filename,
+                                                         size_t fname_buf_sz)
 {
   size_t len;
   char *tail;
@@ -442,7 +446,7 @@ File Load_log_processor::prepare_new_file_for_old_format(Load_log_event *le,
   len= strlen(filename);
   tail= filename + len;
 
-  if ((file= create_unique_file(filename,tail)) < 0)
+  if ((file= create_unique_file(filename, tail, fname_buf_sz - len)) < 0)
   {
     error("Could not construct local filename %s.",filename);
     return -1;
@@ -564,9 +568,18 @@ Exit_status Load_log_processor::process_first_event(const char *bname,
   ptr= fname + target_dir_name_len;
   memcpy(ptr,bname,blen);
   ptr+= blen;
-  ptr+= sprintf(ptr, "-%x", file_id);
 
-  if ((file= create_unique_file(fname,ptr)) < 0)
+  size_t ret= snprintf(ptr, full_len - target_dir_name_len - blen,
+                       "-%x", file_id);
+  if (ret >= (full_len - target_dir_name_len - blen))
+  {
+    error("Buffer for a file name is overflowed.");
+    // Buffer overflow condition taken place
+    DBUG_RETURN(ERROR_STOP);
+  }
+
+  ptr+= ret;
+  if ((file= create_unique_file(fname, ptr, full_len - (ptr - fname))) < 0)
   {
     error("Could not construct local filename %s%s.",
           target_dir_name,bname);
@@ -2388,7 +2401,8 @@ static Exit_status handle_event_text_mode(PRINT_EVENT_INFO *print_event_info,
     Exit_status retval;
     char fname[FN_REFLEN+1];
 
-    if ((file= load_processor.prepare_new_file_for_old_format(le,fname)) < 0)
+    if ((file= load_processor.prepare_new_file_for_old_format(le, fname,
+                                                              sizeof(fname))) < 0)
     {
       DBUG_RETURN(ERROR_STOP);
     }

extra/mariabackup/backup_copy.cc

@@ -1950,7 +1950,7 @@ copy_back()
 
 	for (uint i = 1; i <= TRX_SYS_MAX_UNDO_SPACES; i++) {
 		char filename[20];
-		sprintf(filename, "undo%03u", i);
+		snprintf(filename, sizeof(filename), "undo%03u", i);
 		if (!file_exists(filename)) {
 			break;
 		}

extra/mariabackup/backup_mysql.cc

@@ -147,8 +147,7 @@ xb_mysql_connect()
 	MYSQL *connection = mysql_init(NULL);
 	char mysql_port_str[std::numeric_limits<int>::digits10 + 3];
 	const char *user= opt_user ? opt_user : get_os_user();
-
-	sprintf(mysql_port_str, "%d", opt_port);
+	snprintf(mysql_port_str, sizeof(mysql_port_str), "%d", opt_port);
 
 	if (connection == NULL) {
 		msg("Failed to init MySQL struct: %s.",

include/mysql_com.h

@@ -725,7 +725,8 @@ void create_random_string(char *to, unsigned int length,
                           struct my_rnd_struct *rand_st);
 
 void hash_password(unsigned long *to, const char *password, unsigned int password_len);
-void make_scrambled_password_323(char *to, const char *password);
+void make_scrambled_password_323(char *to, size_t buf_capacity,
+                                 const char *password);
 void scramble_323(char *to, const char *message, const char *password);
 my_bool check_scramble_323(const unsigned char *reply, const char *message,
                            unsigned long *salt);

include/password.h

@@ -18,7 +18,8 @@
 
 C_MODE_START
 
-void my_make_scrambled_password_323(char *to, const char *password,
+void my_make_scrambled_password_323(char *to,  size_t buf_capacity,
+                                    const char *password,
                                     size_t pass_len);
 void my_make_scrambled_password(char *to, const char *password,
                                 size_t pass_len);

mysql-test/lib/My/SafeProcess/safe_process.cc

@@ -236,7 +236,8 @@ int main(int argc, char* const argv[] )
   sigaction(SIGCHLD, &sa,NULL);
   sigaction(SIGABRT, &sa_abort,NULL);
 
-  sprintf(safe_process_name, "safe_process[%ld]", (long) own_pid);
+  snprintf(safe_process_name, sizeof(safe_process_name),
+           "safe_process[%ld]", (long) own_pid);
 
   message("Started");
 

mysys/crc32/crc32c_x86.cc

@@ -39,7 +39,9 @@ extern "C" unsigned crc32c_sse42(unsigned crc, const void* buf, size_t size);
 
 constexpr uint32_t cpuid_ecx_SSE42= 1U << 20;
 constexpr uint32_t cpuid_ecx_SSE42_AND_PCLMUL= cpuid_ecx_SSE42 | 1U << 1;
+#ifdef USE_VPCLMULQDQ
 constexpr uint32_t cpuid_ecx_AVX_AND_XSAVE= 1U << 28 | 1U << 27;
+#endif
 
 static uint32_t cpuid_ecx()
 {

plugin/type_inet/sql_type_inet.cc

@@ -493,8 +493,13 @@ size_t Inet6::to_string(char *dst, size_t dstsize) const
       //
       // If it is not the last field, append closing ':'.
 
-      p += sprintf(p, "%x", ipv6_words[i]);
+      int ret= snprintf(p, dstsize_available, "%x", ipv6_words[i]);
 
+      if ((size_t)ret >= dstsize_available)
+        // Buffer overflow condition taken place
+        break;
+
+      p += ret;
       if (i + 1 != IN6_ADDR_NUM_WORDS)
       {
         *p= ':';

sql/gcalc_slicescan.cc

@@ -100,9 +100,10 @@ const char *gcalc_ev_name(int ev)
 }
 
 
-static int gcalc_pi_str(char *str, const Gcalc_heap::Info *pi, const char *postfix)
+static int gcalc_pi_str(char *str, size_t len,
+                        const Gcalc_heap::Info *pi, const char *postfix)
 {
-  return sprintf(str, "%s %d %d | %s %d %d%s",
+  return snprintf(str, len, "%s %d %d | %s %d %d%s",
                      GCALC_SIGN(pi->node.shape.ix[0]) ? "-":"", FIRST_DIGIT(pi->node.shape.ix[0]),pi->node.shape.ix[1],
                      GCALC_SIGN(pi->node.shape.iy[0]) ? "-":"", FIRST_DIGIT(pi->node.shape.iy[0]),pi->node.shape.iy[1],
                      postfix);
@@ -112,29 +113,26 @@ static int gcalc_pi_str(char *str, const Gcalc_heap::Info *pi, const char *postf
 
 static void GCALC_DBUG_PRINT_PI(const Gcalc_heap::Info *pi)
 {
+#ifdef DBUG_TRACE
   char buf[128];
-  int n_buf;
   if (pi->type == Gcalc_heap::nt_intersection)
   {
-#ifdef DBUG_TRACE
     const Gcalc_scan_iterator::intersection_info *ic= i_data(pi);
 
     GCALC_DBUG_PRINT(("intersection point %d %d",
                       ic->edge_a->thread, ic->edge_b->thread));
-#endif
     return;
   }
   if (pi->type == Gcalc_heap::nt_eq_node)
   {
-#ifdef DBUG_TRACE
     const Gcalc_scan_iterator::point *e= eq_sp(pi);
     GCALC_DBUG_PRINT(("eq point %d", e->thread));
-#endif
+
     return;
   }
-  n_buf= gcalc_pi_str(buf, pi, "");
-  buf[n_buf]= 0;
+  (void)gcalc_pi_str(buf, sizeof(buf), pi, "");
   GCALC_DBUG_PRINT(("%s", buf));
+#endif
 }
 
 
@@ -148,14 +146,31 @@ static void GCALC_DBUG_PRINT_SLICE(const char *header,
   for (; slice; slice= slice->get_next())
   {
     size_t lnbuf= nbuf;
-    lnbuf+= sprintf(buf + lnbuf, "%d\t", slice->thread);
-    lnbuf+= sprintf(buf + lnbuf, "%s\t", gcalc_ev_name(slice->event));
+    size_t ret;
+
+    ret= snprintf(buf + lnbuf, sizeof(buf) - lnbuf,
+                  "%d\t%s\t", slice->thread, gcalc_ev_name(slice->event));
+    if (ret >= sizeof(buf) - lnbuf)
+      // Buffer overflow condition taken place
+      break;
+    lnbuf+= ret;
+
+    ret= gcalc_pi_str(buf + lnbuf, sizeof(buf) - lnbuf, slice->pi, "\t");
+    if (ret >= sizeof(buf) - lnbuf)
+      // Buffer overflow condition taken place
+      break;
+    lnbuf+= ret;
 
-    lnbuf+= gcalc_pi_str(buf + lnbuf, slice->pi, "\t");
     if (slice->is_bottom())
-      lnbuf+= sprintf(buf+lnbuf, "bt\t");
+      ret= snprintf(buf + lnbuf, sizeof(buf) - lnbuf, "bt\t");
     else
-      lnbuf+= gcalc_pi_str(buf+lnbuf, slice->next_pi, "\t");
+      ret= gcalc_pi_str(buf + lnbuf, sizeof(buf) - lnbuf,
+                        slice->next_pi, "\t");
+    if (ret >= sizeof(buf) - lnbuf)
+      // Buffer overflow condition taken place
+      break;
+
+    lnbuf+= ret;
     buf[lnbuf]= 0;
     GCALC_DBUG_PRINT(("%s", buf));
   }

sql/item_strfunc.cc

@@ -2248,7 +2248,8 @@ String *Item_func_password::val_str_ascii(String *str)
       return 0;
     if (res->length() == 0)
       return make_empty_result(str);
-    my_make_scrambled_password_323(tmp_value, res->ptr(), res->length());
+    my_make_scrambled_password_323(tmp_value, sizeof(tmp_value),
+                                   res->ptr(), res->length());
     str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, &my_charset_latin1);
     break;
   default:
@@ -2271,7 +2272,11 @@ char *Item_func_password::alloc(THD *thd, const char *password,
     my_make_scrambled_password(buff, password, pass_len);
     break;
   case OLD:
-    my_make_scrambled_password_323(buff, password, pass_len);
+    my_make_scrambled_password_323(buff,
+                                   (al==NEW) ?
+                                   SCRAMBLED_PASSWORD_CHAR_LENGTH + 1 :
+                                   SCRAMBLED_PASSWORD_CHAR_LENGTH_323 + 1,
+                                   password, pass_len);
     break;
   default:
     DBUG_ASSERT(0);

sql/log_event.cc

@@ -1409,7 +1409,7 @@ code_name(int code)
   case Q_MASTER_DATA_WRITTEN_CODE: return "Q_MASTER_DATA_WRITTEN_CODE";
   case Q_HRNOW: return "Q_HRNOW";
   }
-  sprintf(buf, "CODE#%d", code);
+  snprintf(buf, sizeof(buf), "CODE#%d", code);
   return buf;
 }
 #endif

sql/log_event.h

@@ -3112,6 +3112,17 @@ class Xid_log_event: public Xid_apply_log_event
 };
 
 
+/*
+  The size of the string containing serialized Xid representation
+  is computed as a sum of
+  eight as the number of formatting symbols (X'',X'',)
+  plus 2 x XIDDATASIZE (2 due to hex format),
+  plus space for decimal digits of XID::formatID,
+  plus one for 0x0.
+*/
+static const uint ser_buf_size=
+  8 + 2 * MYSQL_XIDDATASIZE + 4 * sizeof(long) + 1;
+
 /**
   @class XA_prepare_log_event
 
@@ -3177,22 +3188,11 @@ inline char *serialize_xid(char *buf, long fmt, long gln, long bln,
     c+= 2;
   }
   c[0]= '\'';
-  sprintf(c+1, ",%lu", fmt);
+  snprintf(c + 1, (ser_buf_size ) - (c + 1 - buf), ",%lu", fmt);
 
  return buf;
 }
 
-/*
-  The size of the string containing serialized Xid representation
-  is computed as a sum of
-  eight as the number of formatting symbols (X'',X'',)
-  plus 2 x XIDDATASIZE (2 due to hex format),
-  plus space for decimal digits of XID::formatID,
-  plus one for 0x0.
-*/
-static const uint ser_buf_size=
-  8 + 2 * MYSQL_XIDDATASIZE + 4 * sizeof(long) + 1;
-
 struct event_mysql_xid_t :  MYSQL_XID
 {
   char buf[ser_buf_size];
@@ -3261,7 +3261,7 @@ class XA_prepare_log_event: public Xid_apply_log_event
   int do_commit() override;
   const char* get_query() override
   {
-    sprintf(query,
+    snprintf(query, sizeof(query),
             (one_phase ? "XA COMMIT %s ONE PHASE" : "XA PREPARE %s"),
             m_xid.serialize());
     return query;