diff --git a/mysql-test/suite/binlog/r/binlog_base64_flag.result b/mysql-test/suite/binlog/r/binlog_base64_flag.result index 58c444c9571..7fb5e50a219 100644 --- a/mysql-test/suite/binlog/r/binlog_base64_flag.result +++ b/mysql-test/suite/binlog/r/binlog_base64_flag.result @@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA== '; ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info drop table t1, char63_utf8, char128_utf8; +# +# Bug #54393: crash and/or valgrind errors in +# mysql_client_binlog_statement +# +BINLOG ''; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use +BINLOG '123'; +BINLOG '-2079193929'; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use +BINLOG 'xç↓%~∙D╒ƒ╡'; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use diff --git a/mysql-test/suite/binlog/t/binlog_base64_flag.test b/mysql-test/suite/binlog/t/binlog_base64_flag.test index e6271ec6ccc..3f1e4e98bec 100644 --- a/mysql-test/suite/binlog/t/binlog_base64_flag.test +++ b/mysql-test/suite/binlog/t/binlog_base64_flag.test @@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA== '; drop table t1, char63_utf8, char128_utf8; + + +--echo # +--echo # Bug #54393: crash and/or valgrind errors in +--echo # mysql_client_binlog_statement +--echo # +--error ER_SYNTAX_ERROR +BINLOG ''; +BINLOG '123'; +--error ER_SYNTAX_ERROR +BINLOG '-2079193929'; +--error ER_SYNTAX_ERROR +BINLOG 'xç↓%~∙D╒ƒ╡'; diff --git a/sql/sql_binlog.cc b/sql/sql_binlog.cc index ee51480411b..82de6feb1a9 100644 --- a/sql/sql_binlog.cc +++ b/sql/sql_binlog.cc @@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd) if (check_global_access(thd, SUPER_ACL)) DBUG_VOID_RETURN; - size_t coded_len= thd->lex->comment.length + 1; + size_t coded_len= thd->lex->comment.length; + if (!coded_len) + { + my_error(ER_SYNTAX_ERROR, MYF(0)); + DBUG_VOID_RETURN; + } size_t decoded_len= base64_needed_decoded_length(coded_len); - DBUG_ASSERT(coded_len > 0); /* Allocation @@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd) /* Checking that the first event in the buffer is not truncated. */ - ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET); - DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d", - event_len, bytes_decoded)); - if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len) + ulong event_len; + if (bytes_decoded < EVENT_LEN_OFFSET + 4 || + (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) > + (uint) bytes_decoded) { my_error(ER_SYNTAX_ERROR, MYF(0)); goto end; } + DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d", + event_len, bytes_decoded)); /* If we have not seen any Format_description_event, then we must @@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd) bufptr += event_len; DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code())); -#ifndef HAVE_purify - /* - This debug printout should not be used for valgrind builds - since it will read from unassigned memory. - */ - DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx", - (long) (bufptr+EVENT_TYPE_OFFSET))); - DBUG_PRINT("info", ("bytes_decoded: %d bufptr: 0x%lx buf[EVENT_LEN_OFFSET]: %lu", - bytes_decoded, (long) bufptr, - (ulong) uint4korr(bufptr+EVENT_LEN_OFFSET))); -#endif ev->thd= thd; /* We go directly to the application phase, since we don't need