Fix for bug #54393: crash and/or valgrind errors in

mysql_client_binlog_statement Problem: server may read from unassigned memory performing "wrong" BINLOG queries. Fix: never read from unassigned memory. mysql-test/suite/binlog/r/binlog_base64_flag.result: Fix for bug #54393: crash and/or valgrind errors in mysql_client_binlog_statement - test result. mysql-test/suite/binlog/t/binlog_base64_flag.test: Fix for bug #54393: crash and/or valgrind errors in mysql_client_binlog_statement - test case. sql/sql_binlog.cc: Fix for bug #54393: crash and/or valgrind errors in mysql_client_binlog_statement - coded_len should not count trailing '/0'; - never read from unassigned memory.
2025-07-29 05:21:33 +03:00 · 2010-06-18 21:32:23 +04:00
parent 10d0786cd4
commit 5088fb1394
3 changed files with 36 additions and 17 deletions
--- a/sql/sql_binlog.cc
+++ b/sql/sql_binlog.cc
@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd)
  if (check_global_access(thd, SUPER_ACL))
    DBUG_VOID_RETURN;

-  size_t coded_len= thd->lex->comment.length + 1;
+  size_t coded_len= thd->lex->comment.length;
+  if (!coded_len)
+  {
+    my_error(ER_SYNTAX_ERROR, MYF(0));
+    DBUG_VOID_RETURN;
+  }
  size_t decoded_len= base64_needed_decoded_length(coded_len);
-  DBUG_ASSERT(coded_len > 0);

  /*
    Allocation
@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd)
      /*
        Checking that the first event in the buffer is not truncated.
      */
-      ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET);
-      DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
-                          event_len, bytes_decoded));
-      if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len)
+      ulong event_len;
+      if (bytes_decoded < EVENT_LEN_OFFSET + 4 || 
+          (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) > 
+           (uint) bytes_decoded)
      {
        my_error(ER_SYNTAX_ERROR, MYF(0));
        goto end;
      }
+      DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
+                          event_len, bytes_decoded));

      /*
        If we have not seen any Format_description_event, then we must
@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd)
      bufptr += event_len;

      DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code()));
-#ifndef HAVE_purify
-      /*
-        This debug printout should not be used for valgrind builds
-        since it will read from unassigned memory.
-      */
-      DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx",
-                         (long) (bufptr+EVENT_TYPE_OFFSET)));
-      DBUG_PRINT("info", ("bytes_decoded: %d   bufptr: 0x%lx  buf[EVENT_LEN_OFFSET]: %lu",
-                          bytes_decoded, (long) bufptr,
-                          (ulong) uint4korr(bufptr+EVENT_LEN_OFFSET)));
-#endif
      ev->thd= thd;
      /*
        We go directly to the application phase, since we don't need