MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events

Problem: ======== SHOW BINLOG EVENTS FROM <pos> reports following ASAN error AddressSanitizer: heap-buffer-overflow on address 0x60400002acb8 Load_log_event::copy_log_event(char const*, unsigned long, int, Format_description_log_event const*) Fix: === **Part6: Moved the event_len validation to the begin of copy_log_event function**
2025-08-08 11:22:35 +03:00 · 2019-12-18 15:02:23 +05:30
parent 15781283eb
commit d6fa69e4be
1 changed files with 4 additions and 4 deletions
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -5891,6 +5891,8 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
 {
  DBUG_ENTER("Load_log_event::copy_log_event");
  uint data_len;
+  if ((int) event_len < body_offset)
+    DBUG_RETURN(1);
  char* buf_end = (char*)buf + event_len;
  /* this is the beginning of the post-header */
  const char* data_head = buf + description_event->common_header_len;
@@ -5900,9 +5902,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
  table_name_len = (uint)data_head[L_TBL_LEN_OFFSET];
  db_len = (uint)data_head[L_DB_LEN_OFFSET];
  num_fields = uint4korr(data_head + L_NUM_FIELDS_OFFSET);
-	  
-  if ((int) event_len < body_offset)
-    DBUG_RETURN(1);
+
  /*
    Sql_ex.init() on success returns the pointer to the first byte after
    the sql_ex structure, which is the start of field lengths array.
@@ -5911,7 +5911,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
                                        buf_end,
                                        (uchar)buf[EVENT_TYPE_OFFSET] != LOAD_EVENT)))
    DBUG_RETURN(1);
-  
+
  data_len = event_len - body_offset;
  if (num_fields > data_len) // simple sanity check against corruption
    DBUG_RETURN(1);