mariadb/SOURCES/mariadb-covscan-stroverflow.patch

The following problems have been found by Coverity - static analysis tool.

mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. 

mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. 

mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function.

diff -rup mariadb-5.5.47.covscan-stroverflow/plugin/semisync/semisync_master.cc mariadb-5.5.47/plugin/semisync/semisync_master.cc
--- mariadb-5.5.47.covscan-stroverflow/plugin/semisync/semisync_master.cc	2015-12-09 18:22:47.000000000 +0100
+++ mariadb-5.5.47/plugin/semisync/semisync_master.cc	2016-02-04 07:51:02.023858249 +0100
@@ -552,7 +552,8 @@ int ReplSemiSyncMaster::reportReplyBinlo
 
   if (need_copy_send_pos)
   {
-    strcpy(reply_file_name_, log_file_name);
+    strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1);
+    reply_file_name_[sizeof(reply_file_name_)-1] = '\0';
     reply_file_pos_ = log_file_pos;
     reply_file_name_inited_ = true;
 
@@ -659,7 +660,8 @@ int ReplSemiSyncMaster::commitTrx(const
         if (cmp <= 0)
 	{
           /* This thd has a lower position, let's update the minimum info. */
-          strcpy(wait_file_name_, trx_wait_binlog_name);
+          strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+          wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
           wait_file_pos_ = trx_wait_binlog_pos;
 
           rpl_semi_sync_master_wait_pos_backtraverse++;
@@ -670,7 +672,8 @@ int ReplSemiSyncMaster::commitTrx(const
       }
       else
       {
-        strcpy(wait_file_name_, trx_wait_binlog_name);
+        strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
+        wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
         wait_file_pos_ = trx_wait_binlog_pos;
         wait_file_name_inited_ = true;
 

mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest – You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc

diff -rup mariadb-5.5.47.covscan-stroverflow/sql/rpl_handler.cc mariadb-5.5.47/sql/rpl_handler.cc
--- mariadb-5.5.47.covscan-stroverflow/sql/rpl_handler.cc	2015-12-09 18:22:47.000000000 +0100
+++ mariadb-5.5.47/sql/rpl_handler.cc	2016-02-04 07:53:11.920729054 +0100
@@ -260,7 +260,8 @@ int Binlog_storage_delegate::after_flush
     thd->semisync_info= log_info;
   }
 
-  strcpy(log_info->log_file, log_file+dirname_length(log_file));
+  strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1);
+  log_info->log_file[sizeof(log_info->log_file)-1] = '\0';
   log_info->log_pos = log_pos;
   
   FOREACH_OBSERVER(ret, after_flush, false,

mysql-5.5.31/sql/sp_rcontext.h:87:buffer_size_warning – Calling strncpy with a maximum size argument of 512 bytes on destination array "this->m_message" of size 512 bytes might leave the destination string unterminated. 

diff -rup mariadb-5.5.47.covscan-stroverflow/sql/sp_rcontext.h mariadb-5.5.47/sql/sp_rcontext.h
--- mariadb-5.5.47.covscan-stroverflow/sql/sp_rcontext.h	2015-12-09 18:22:47.000000000 +0100
+++ mariadb-5.5.47/sql/sp_rcontext.h	2016-02-04 07:55:50.073558349 +0100
@@ -84,7 +84,8 @@ public:
     memcpy(m_sql_state, sqlstate, SQLSTATE_LENGTH);
     m_sql_state[SQLSTATE_LENGTH]= '\0';
 
-    strncpy(m_message, msg, MYSQL_ERRMSG_SIZE);
+    strncpy(m_message, msg, sizeof(m_message)-1);
+    m_message[sizeof(m_message)-1] = '\0';
   }
 
   void clear()