database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-09-11 05:52:26 +03:00
Code Activity

MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events

Browse Source 
Problem:
========
SHOW BINLOG EVENTS FROM <pos> reports following ASAN error

AddressSanitizer: heap-buffer-overflow on address 0x60400002acb8
Load_log_event::copy_log_event(char const*, unsigned long, int,
    Format_description_log_event const*)

Fix:
===
**Part6: Moved the event_len validation to the begin of copy_log_event function**
This commit is contained in:
Sujatha
2019-12-18 15:02:23 +05:30
parent 15781283eb
commit d6fa69e4be
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sql/log_event.cc
View File

@@ -5891,6 +5891,8 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
{ {
DBUG_ENTER("Load_log_event::copy_log_event"); DBUG_ENTER("Load_log_event::copy_log_event");
uint data_len; uint data_len;
if ((int) event_len < body_offset)
DBUG_RETURN(1);
char* buf_end = (char*)buf + event_len; char* buf_end = (char*)buf + event_len;
/* this is the beginning of the post-header */ /* this is the beginning of the post-header */
const char* data_head = buf + description_event->common_header_len; const char* data_head = buf + description_event->common_header_len;
@@ -5901,8 +5903,6 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
db_len = (uint)data_head[L_DB_LEN_OFFSET]; db_len = (uint)data_head[L_DB_LEN_OFFSET];
num_fields = uint4korr(data_head + L_NUM_FIELDS_OFFSET); num_fields = uint4korr(data_head + L_NUM_FIELDS_OFFSET);
if ((int) event_len < body_offset)
DBUG_RETURN(1);
/* /*
Sql_ex.init() on success returns the pointer to the first byte after Sql_ex.init() on success returns the pointer to the first byte after
the sql_ex structure, which is the start of field lengths array. the sql_ex structure, which is the start of field lengths array.