The following problems have been found by Coverity - static analysis tool. mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. diff -up mariadb-10.0.15/plugin/semisync/semisync_master.cc.orig mariadb-10.0.15/plugin/semisync/semisync_master.cc --- mariadb-10.0.15/plugin/semisync/semisync_master.cc.orig 2014-11-27 15:16:59.664855517 +0100 +++ mariadb-10.0.15/plugin/semisync/semisync_master.cc 2014-11-27 15:16:17.029779375 +0100 @@ -553,7 +553,8 @@ int ReplSemiSyncMaster::reportReplyBinlo if (need_copy_send_pos) { - strcpy(reply_file_name_, log_file_name); + strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1); + reply_file_name_[sizeof(reply_file_name_)-1] = '\0'; reply_file_pos_ = log_file_pos; reply_file_name_inited_ = true; @@ -661,7 +662,8 @@ int ReplSemiSyncMaster::commitTrx(const if (cmp <= 0) { /* This thd has a lower position, let's update the minimum info. */ - strcpy(wait_file_name_, trx_wait_binlog_name); + strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1); + wait_file_name_[sizeof(wait_file_name_)-1] = '\0'; wait_file_pos_ = trx_wait_binlog_pos; rpl_semi_sync_master_wait_pos_backtraverse++; @@ -672,7 +674,8 @@ int ReplSemiSyncMaster::commitTrx(const } else { - strcpy(wait_file_name_, trx_wait_binlog_name); + strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1); + wait_file_name_[sizeof(wait_file_name_)-1] = '\0'; wait_file_pos_ = trx_wait_binlog_pos; wait_file_name_inited_ = true; mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest – You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc diff -up mariadb-10.0.15/sql/rpl_handler.cc.orig mariadb-10.0.15/sql/rpl_handler.cc --- mariadb-10.0.15/sql/rpl_handler.cc.orig 2014-11-27 15:17:28.000906123 +0100 +++ mariadb-10.0.15/sql/rpl_handler.cc 2014-11-27 15:16:17.030779377 +0100 @@ -270,7 +270,8 @@ int Binlog_storage_delegate::after_flush my_pthread_setspecific_ptr(RPL_TRANS_BINLOG_INFO, log_info); } - strcpy(log_info->log_file, log_file+dirname_length(log_file)); + strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1); + log_info->log_file[sizeof(log_info->log_file)-1] = '\0'; log_info->log_pos = log_pos; int ret= 0;