File mysql-5.0.67-CVE-2010-1848.patch of Package mysql

=== modified file 'sql/sql_parse.cc'
Index: sql/sql_parse.cc
===================================================================
--- sql/sql_parse.cc.orig
+++ sql/sql_parse.cc
@@ -1961,6 +1961,13 @@ bool dispatch_command(enum enum_server_c
     pend= strend(packet);
     thd->convert_string(&conv_name, system_charset_info,
 			packet, (uint) (pend-packet), thd->charset());
+    if (check_table_name (conv_name.str, conv_name.length))
+    {
+      /* this is OK due to convert_string() null-terminating the string */
+      my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
+      break;
+    }
+
     table_list.alias= table_list.table_name= conv_name.str;
     packet= pend+1;
 
Index: tests/mysql_client_test.c
===================================================================
--- tests/mysql_client_test.c.orig
+++ tests/mysql_client_test.c
@@ -16101,6 +16101,47 @@ static void test_bug31669()
   Bug#32265 Server returns different metadata if prepared statement is used
 */
 
+static void test_bug53371()
+{
+  int rc;
+  MYSQL_RES *result;
+
+  myheader("test_bug53371");
+
+  rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+
+  rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
+  myquery(rc);
+  rc= mysql_query(mysql, "CREATE DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
+  myquery(rc);
+
+  rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
+  myquery(rc);
+
+  rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
+  DIE_UNLESS(rc);
+  DIE_UNLESS(mysql_errno(mysql) == 1142);
+
+  result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
+  DIE_UNLESS(!result);
+
+  rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP TABLE t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+  myquery(rc);
+}
+
+
 static void test_bug32265()
 {
   int rc;
@@ -16483,6 +16524,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug29306", test_bug29306 },
   { "test_bug31669", test_bug31669 },
   { "test_bug32265", test_bug32265 },
+  { "test_bug53371", test_bug53371 },
   { 0, 0 }
 };
 
openSUSE Build Service is sponsored by