Merge pull request #3815 from sysown/CodeQL

CodeQL detected issue fixes

deps/Makefile

@@ -52,7 +52,9 @@ libinjection: libinjection/libinjection/src/libinjection.a
 libssl/openssl/libssl.a:
 	cd libssl && rm -rf openssl-openssl-*/ || true
 	cd libssl && tar -zxf openssl-*.tar.gz
-	cd libssl/openssl  && ./config no-ssl3 no-tests
+	cd libssl/openssl && patch crypto/ec/curve448/curve448.c < ../curve448.c-multiplication-overflow.patch
+	cd libssl/openssl && patch crypto/asn1/a_time.c < ../a_time.c-multiplication-overflow.patch
+	cd libssl/openssl && ./config no-ssl3 no-tests
 	cd libssl/openssl && CC=${CC} CXX=${CXX} ${MAKE}
 	cd libssl/openssl && ln -s . lib # curl wants this path
 libssl: libssl/openssl/libssl.a
@@ -92,6 +94,7 @@ libhttpserver: libhttpserver/libhttpserver/build/src/.libs/libhttpserver.a
 libev/libev/.libs/libev.a:
 	cd libev && rm -rf libev-4.24 || true
 	cd libev && tar -zxf libev-4.24.tar.gz
+	cd libev/libev && patch ev.c < ../ev.c-multiplication-overflow.patch
 	cd libev/libev  && ./configure
 	cd libev/libev && CC=${CC} CXX=${CXX} ${MAKE}
 ev: libev/libev/.libs/libev.a
@@ -117,6 +120,7 @@ endif
 ifeq ($(OS),Darwin)
 	cd libmicrohttpd/libmicrohttpd && patch src/microhttpd/mhd_sockets.c < ../mhd_sockets.c-issue-5977.patch
 endif
+	cd libmicrohttpd/libmicrohttpd && patch src/microhttpd/connection.c < ../connection.c-snprintf-overflow.patch
 	cd libmicrohttpd/libmicrohttpd && ./configure --enable-https && CC=${CC} CXX=${CXX} ${MAKE}
 microhttpd: libmicrohttpd/libmicrohttpd/src/microhttpd/.libs/libmicrohttpd.a
 
@@ -193,6 +197,9 @@ mariadb-client-library/mariadb_client/libmariadb/libmariadbclient.a: libssl/open
 ifeq ($(WITHASAN),1)
 	cd mariadb-client-library/mariadb_client && patch -p0 < ../mariadb_asan.patch
 endif
+	cd mariadb-client-library/mariadb_client && patch libmariadb/mariadb_dyncol.c < ../mariadb_dyncol.c-multiplication-overflow.patch
+	cd mariadb-client-library/mariadb_client && patch libmariadb/ma_array.c < ../ma_array.c-multiplication-overflow.patch
+	cd mariadb-client-library/mariadb_client && patch zlib/zutil.c < ../zutil.c-multiplication-overflow.patch
 	cd mariadb-client-library/mariadb_client && CC=${CC} CXX=${CXX} ${MAKE} mariadbclient
 # cd mariadb-client-library/mariadb_client/include && make my_config.h
 
@@ -203,6 +210,7 @@ sqlite3/sqlite3/sqlite3.o:
 	cd sqlite3 && rm -rf sqlite-amalgamation-3190200
 	cd sqlite3 && tar -zxf sqlite-amalgamation-3190200.tar.gz
 	cd sqlite3/sqlite3 && patch sqlite3.c < ../from_unixtime.patch
+	cd sqlite3/sqlite3 && patch sqlite3.c < ../sqlite3.c-multiplication-overflow.patch
 	cd sqlite3/sqlite3 && ${CC} ${MYCFLAGS} -fPIC -c -o sqlite3.o sqlite3.c -DSQLITE_ENABLE_MEMORY_MANAGEMENT -DSQLITE_ENABLE_JSON1 -DSQLITE_DLL=1
 	cd sqlite3/sqlite3 && ${CC} -shared -o libsqlite3.so sqlite3.o
 
@@ -234,7 +242,8 @@ re2/re2/obj/libre2.a:
 #	cd re2 && tar -zxf re2-20140304.tgz
 	cd re2 && tar -zxf re2.tar.gz
 #	cd re2/re2 && sed -i -e 's/-O3 -g /-O3 -fPIC /' Makefile
-#	cd re2 && patch re2/util/mutex.h < mutex.h.patch
+#	cd re2/re2 && patch util/mutex.h < ../mutex.h.patch
+	cd re2/re2 && patch re2/onepass.cc < ../onepass.cc-multiplication-overflow.patch
 	cd re2/re2 && sed -i -e 's/-O3 /-O3 -fPIC -DMEMORY_SANITIZER -DRE2_ON_VALGRIND /' Makefile
 	cd re2/re2 && sed -i -e 's/RE2_CXXFLAGS?=-std=c++11 /RE2_CXXFLAGS?=-std=c++11 -fPIC /' Makefile
 	cd re2/re2 && CC=${CC} CXX=${CXX} ${MAKE}
@@ -245,6 +254,7 @@ pcre/pcre/.libs/libpcre.a:
 	cd pcre && rm -rf pcre-8.39
 	cd pcre && rm -rf pcre-8.44
 	cd pcre && tar -zxf pcre-8.44.tar.gz
+	cd pcre/pcre && patch pcretest.c < ../pcretest.c-multiplication-overflow.patch
 	cd pcre/pcre && ./configure
 	cd pcre/pcre && CC=${CC} CXX=${CXX} ${MAKE}
 pcre: pcre/pcre/.libs/libpcre.a

deps/libev/ev.c-multiplication-overflow.patch

@@ -0,0 +1,18 @@
+@@ -1937,7 +1937,7 @@
+   while (cnt > ncur);
+ 
+   /* if size is large, round to MALLOC_ROUND - 4 * longs to accommodate malloc overhead */
+-  if (elem * ncur > MALLOC_ROUND - sizeof (void *) * 4)
++  if ((long) elem * ncur > MALLOC_ROUND - sizeof (void *) * 4)
+     {
+       ncur *= elem;
+       ncur = (ncur + elem + (MALLOC_ROUND - 1) + sizeof (void *) * 4) & ~(MALLOC_ROUND - 1);
+@@ -1953,7 +1953,7 @@
+ array_realloc (int elem, void *base, int *cur, int cnt)
+ {
+   *cur = array_nextsize (elem, *cur, cnt);
+-  return ev_realloc (base, elem * *cur);
++  return ev_realloc (base, (long) elem * *cur);
+ }
+ 
+ #define array_init_zero(base,count)	\

deps/libmicrohttpd/connection.c-snprintf-overflow.patch

@@ -0,0 +1,20 @@
+@@ -1582,11 +1582,18 @@
+                                                 MHD_HTTP_HEADER_CONNECTION))) &&
+               (MHD_str_equal_caseless_ (pos->value,
+                                         "Keep-Alive")) ) ) )
+-      off += MHD_snprintf_ (&data[off],
++    {
++      int n = MHD_snprintf_ (&data[off],
+                             size - off,
+                             "%s: %s\r\n",
+                             pos->header,
+                             pos->value);
++      if (n < 0 || n >= size - off)
++      {
++        break;
++      }
++      off += n;
++    }
+   }
+   if (MHD_CONNECTION_FOOTERS_RECEIVED == connection->state)
+   {

deps/libssl/a_time.c-multiplication-overflow.patch

@@ -0,0 +1,9 @@
+@@ -248,7 +248,7 @@
+             }
+             o++;
+         }
+-        if (offset && !OPENSSL_gmtime_adj(&tmp, 0, offset * offsign))
++        if (offset && !OPENSSL_gmtime_adj(&tmp, 0, (long) offset * offsign))
+             goto err;
+     } else {
+         /* not Z, or not +/- in non-strict mode */

deps/libssl/curve448.c-multiplication-overflow.patch

@@ -0,0 +1,9 @@
+@@ -588,7 +588,7 @@
+             assert(position >= 0);
+             if (odd & (1 << (table_bits + 1)))
+                 delta -= (1 << (table_bits + 1));
+-            current -= delta * (1 << pos);
++            current -= (long) delta * (1 << pos);
+             control[position].power = pos + 16 * (w - 1);
+             control[position].addend = delta;
+             position--;

deps/mariadb-client-library/ma_array.c-multiplication-overflow.patch

@@ -0,0 +1,53 @@
+@@ -46,7 +46,7 @@
+   array->max_element=init_alloc;
+   array->alloc_increment=alloc_increment;
+   array->size_of_element=element_size;
+-  if (!(array->buffer=(char*) malloc(element_size*init_alloc)))
++  if (!(array->buffer=(char*) malloc((long) element_size*init_alloc)))
+   {
+     array->max_element=0;
+     return(TRUE);
+@@ -80,7 +80,7 @@
+   if (array->elements == array->max_element)
+   {
+     char *new_ptr;
+-    if (!(new_ptr=(char*) realloc(array->buffer,(array->max_element+
++    if (!(new_ptr=(char*) realloc(array->buffer,(long) (array->max_element+
+ 			          array->alloc_increment)*
+ 				   array->size_of_element)))
+       return 0;
+@@ -111,14 +111,14 @@
+       char *new_ptr;
+       size=(idx+array->alloc_increment)/array->alloc_increment;
+       size*= array->alloc_increment;
+-      if (!(new_ptr=(char*) realloc(array->buffer,size*
++      if (!(new_ptr=(char*) realloc(array->buffer,(long) size*
+ 			            array->size_of_element)))
+ 	return TRUE;
+       array->buffer=new_ptr;
+       array->max_element=size;
+     }
+     memset((array->buffer+array->elements*array->size_of_element), 0,
+-	  (idx - array->elements)*array->size_of_element);
++	  (long) (idx - array->elements)*array->size_of_element);
+     array->elements=idx+1;
+   }
+   memcpy(array->buffer+(idx * array->size_of_element),element,
+@@ -155,7 +155,7 @@
+   char *ptr=array->buffer+array->size_of_element*idx;
+   array->elements--;
+   memmove(ptr,ptr+array->size_of_element,
+-	  (array->elements-idx)*array->size_of_element);
++	  (long) (array->elements-idx)*array->size_of_element);
+ }
+ 
+ 
+@@ -166,7 +166,7 @@
+   if (array->buffer && array->max_element != elements)
+   {
+     array->buffer=(char*) realloc(array->buffer,
+-			          elements*array->size_of_element);
++			          (long) elements*array->size_of_element);
+     array->max_element=elements;
+   }
+ }

deps/mariadb-client-library/mariadb_dyncol.c-multiplication-overflow.patch

@@ -0,0 +1,16 @@
+@@ -3999,13 +3999,13 @@
+         (val->x.time_value.neg ? -1 : 1);
+       break;
+     case DYN_COL_DATE:
+-      *ll= (val->x.time_value.year * 10000 +
++      *ll= ((long) val->x.time_value.year * 10000 +
+             val->x.time_value.month * 100 +
+             val->x.time_value.day) *
+         (val->x.time_value.neg ? -1 : 1);
+       break;
+     case DYN_COL_TIME:
+-      *ll= (val->x.time_value.hour * 10000 +
++      *ll= ((long) val->x.time_value.hour * 10000 +
+             val->x.time_value.minute * 100 +
+             val->x.time_value.second) *
+         (val->x.time_value.neg ? -1 : 1);

deps/mariadb-client-library/zutil.c-multiplication-overflow.patch

@@ -0,0 +1,9 @@
+@@ -303,7 +303,7 @@
+     unsigned size;
+ {
+     if (opaque) items += size - size; /* make compiler happy */
+-    return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) :
++    return sizeof(uInt) > 2 ? (voidpf)malloc((long) items * size) :
+                               (voidpf)calloc(items, size);
+ }
+ 

deps/pcre/pcretest.c-multiplication-overflow.patch

@@ -0,0 +1,9 @@
+@@ -4094,7 +4094,7 @@
+ #endif
+       new_info(re, NULL, PCRE_INFO_SIZE, &size);
+       fprintf(outfile, "Memory allocation (code space): %d\n",
+-        (int)(size - real_pcre_size - name_count * name_entry_size));
++        (int)(size - real_pcre_size - (long) name_count * name_entry_size));
+       }
+ 
+     /* If -s or /S was present, study the regex to generate additional info to

deps/re2/onepass.cc-multiplication-overflow.patch

@@ -0,0 +1,12 @@
+@@ -611,9 +611,9 @@
+     LOG(ERROR) << "nodes:\n" << dump;
+   }
+ 
+-  dfa_mem_ -= nalloc*statesize;
++  dfa_mem_ -= static_cast<long>(nalloc)*statesize;
+   onepass_nodes_ = PODArray<uint8_t>(nalloc*statesize);
+-  memmove(onepass_nodes_.data(), nodes.data(), nalloc*statesize);
++  memmove(onepass_nodes_.data(), nodes.data(), static_cast<long>(nalloc)*statesize);
+   return true;
+ 
+ fail:

deps/sqlite3/sqlite3.c-multiplication-overflow.patch

@@ -0,0 +1,18 @@
+@@ -103301,7 +103301,7 @@
+   int n = *pnEntry;
+   if( (n & (n-1))==0 ){
+     int sz = (n==0) ? 1 : 2*n;
+-    void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry);
++    void *pNew = sqlite3DbRealloc(db, pArray, (long) sz*szEntry);
+     if( pNew==0 ){
+       *pIdx = -1;
+       return pArray;
+@@ -141183,7 +141183,7 @@
+     pStart = 0;
+   }else if( pBuf==0 ){
+     sqlite3BeginBenignMalloc();
+-    pStart = sqlite3Malloc( sz*cnt );  /* IMP: R-61949-35727 */
++    pStart = sqlite3Malloc( (long) sz*cnt );  /* IMP: R-61949-35727 */
+     sqlite3EndBenignMalloc();
+     if( pStart ) cnt = sqlite3MallocSize(pStart)/sz;
+   }else{

include/gen_utils.h

@@ -88,7 +88,7 @@ class PtrArray {
 	void * remove_index(unsigned int i) {
 		void *r=pdata[i];
 		if (i != (len-1)) {
-			memmove(pdata+(i)*sizeof(void *),pdata+(i+1)*sizeof(void *),(len-i-1)*sizeof(void *));
+			memmove((void **)pdata+i,(void **)pdata+i+1,(len-i-1)*sizeof(void *));
 		}
 		len--;
 		if ( ( len>MIN_ARRAY_LEN ) && ( size > len*MIN_ARRAY_DELETE_RATIO ) ) {

lib/Makefile

@@ -1,7 +1,7 @@
 ifndef GIT_VERSION
-GIT_VERSION := $(shell git describe --long --abbrev=7)
+	GIT_VERSION := $(shell git describe --long --abbrev=7)
 ifndef GIT_VERSION
-$(error GIT_VERSION is not set)
+	$(error GIT_VERSION is not set)
 endif
 endif
 

lib/ProxySQL_Admin.cpp

@@ -3507,7 +3507,7 @@ SQLite3_result * ProxySQL_Admin::generate_show_table_status(const char *tablenam
 	pta[0]=NULL;
 	char *tn=NULL; // tablename
 	// note that tablename is passed with a trailing '
-	tn=(char *)malloc(strlen(tablename));
+	tn=(char *)malloc(strlen(tablename)+1);
 	unsigned int i=0, j=0;
 	while (i<strlen(tablename)) {
 		if (tablename[i]!='\\' && tablename[i]!='`' && tablename[i]!='\'') {
@@ -4877,9 +4877,9 @@ void admin_session_handler(MySQL_Session *sess, void *_pa, PtrSize_t *pkt) {
 		strB=(char *)"SELECT name AS tables FROM sqlite_master WHERE type='table' AND name LIKE '%s'";
 		strBl=strlen(strB);
 		char *tn=NULL; // tablename
-		tn=(char *)malloc(strlen(strA));
+		tn=(char *)malloc(strAl+1);
 		unsigned int i=0, j=0;
-		while (i<strlen(strA)) {
+		while (i<strAl) {
 			if (strA[i]!='\\' && strA[i]!='`' && strA[i]!='\'') {
 				tn[j]=strA[i];
 				j++;

lib/c_tokenizer.cpp

@@ -2315,7 +2315,7 @@ void stage_4_parsing(shared_st* shared_st, stage_1_st* stage_1_st, stage_4_st* s
 
 			// count found forward patterns
 			if (found_group_patterns > opts->groups_grouping_limit) {
-				memmove(shared_st->res_pre_pos, pattern_start, group_pattern_size * opts->groups_grouping_limit);
+				memmove(shared_st->res_pre_pos, pattern_start, (long) group_pattern_size * opts->groups_grouping_limit);
 				shared_st->res_pre_pos += group_pattern_size * opts->groups_grouping_limit;
 				*shared_st->res_pre_pos++ = '.';
 				*shared_st->res_pre_pos++ = '.';

src/Makefile

@@ -1,7 +1,7 @@
 ifndef GIT_VERSION
-GIT_VERSION := $(shell git describe --long --abbrev=7)
+	GIT_VERSION := $(shell git describe --long --abbrev=7)
 ifndef GIT_VERSION
-$(error GIT_VERSION is not set)
+	$(error GIT_VERSION is not set)
 endif
 endif
 

src/SQLite3_Server.cpp

@@ -318,7 +318,7 @@ void SQLite3_Server_session_handler(MySQL_Session *sess, void *_pa, PtrSize_t *p
 	SQLite3_result *resultset=NULL;
 	char *strA=NULL;
 	char *strB=NULL;
-	int strAl, strBl;
+	size_t strAl, strBl;
 	char *query=NULL;
 	unsigned int query_length=pkt->size-sizeof(mysql_hdr);
 	query=(char *)l_alloc(query_length);
@@ -515,9 +515,9 @@ void SQLite3_Server_session_handler(MySQL_Session *sess, void *_pa, PtrSize_t *p
 		strB=(char *)"SELECT name AS tables FROM sqlite_master WHERE type='table' AND name LIKE '%s'";
 		strBl=strlen(strB);
 		char *tn=NULL; // tablename
-		tn=(char *)malloc(strlen(strA));
+		tn=(char *)malloc(strAl+1);
 		unsigned int i=0, j=0;
-		while (i<strlen(strA)) {
+		while (i<strAl) {
 			if (strA[i]!='\\' && strA[i]!='`' && strA[i]!='\'') {
 				tn[j]=strA[i];
 				j++;