I believe that there is a possible buffer overflow in libedit/history.c:history_save(). The related code is mostly common for all *BSD, so please see http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=26725 for further details. Fix: http://lists.mysql.com/internals/16119 How-To-Repeat: http://bugs.mysql.com/bug.php?id=4696
Otto Moerbeek <otto@drijf.net> has just pointed out that the: max_size = (len + 1023) & ~1023; patch is not enough (see http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00092.html) "... If len is a multiple of 1024, max_size = (len + 1023) & ~1023; wil not increase it. Should probably be max_size = (len + 1024) & ~1023;" It looks like his statement is correct and either his patch or something like: http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00096.html (which is a bit more intrusive but seems more self documented to me) is needed. -- Sergey S. Kostyliov <rathamahata@ehouse.ru> Jabber ID: rathamahata@jabber.org
State Changed From-To: open->feedback Could somebody submit the correct patch, please?
State Changed From-To: feedback->closed Committed, thanks!