From d6fa69e4be945da174ae3445dc8203ece689f048 Mon Sep 17 00:00:00 2001 From: Sujatha Date: Wed, 18 Dec 2019 15:02:23 +0530 Subject: [PATCH] MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events Problem: ======== SHOW BINLOG EVENTS FROM reports following ASAN error AddressSanitizer: heap-buffer-overflow on address 0x60400002acb8 Load_log_event::copy_log_event(char const*, unsigned long, int, Format_description_log_event const*) Fix: === **Part6: Moved the event_len validation to the begin of copy_log_event function** --- sql/log_event.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sql/log_event.cc b/sql/log_event.cc index ebc14e6571d..65ce94f2695 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -5891,6 +5891,8 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, { DBUG_ENTER("Load_log_event::copy_log_event"); uint data_len; + if ((int) event_len < body_offset) + DBUG_RETURN(1); char* buf_end = (char*)buf + event_len; /* this is the beginning of the post-header */ const char* data_head = buf + description_event->common_header_len; @@ -5900,9 +5902,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, table_name_len = (uint)data_head[L_TBL_LEN_OFFSET]; db_len = (uint)data_head[L_DB_LEN_OFFSET]; num_fields = uint4korr(data_head + L_NUM_FIELDS_OFFSET); - - if ((int) event_len < body_offset) - DBUG_RETURN(1); + /* Sql_ex.init() on success returns the pointer to the first byte after the sql_ex structure, which is the start of field lengths array. @@ -5911,7 +5911,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, buf_end, (uchar)buf[EVENT_TYPE_OFFSET] != LOAD_EVENT))) DBUG_RETURN(1); - + data_len = event_len - body_offset; if (num_fields > data_len) // simple sanity check against corruption DBUG_RETURN(1);