Commit b3c4bc6e authored by unknown's avatar unknown

BUG#31793 (log event corruption causes crash):

Corrections to get_str_len_and_pointer().


sql/log_event.cc:
  Adding missing return at end of get_str_len_and_pointer()
  and correcting computation of missing bytes.
parent 9eb28b96
...@@ -1436,11 +1436,12 @@ get_str_len_and_pointer(const Log_event::Byte **src, ...@@ -1436,11 +1436,12 @@ get_str_len_and_pointer(const Log_event::Byte **src,
if (length > 0) if (length > 0)
{ {
if (*src + length >= end) if (*src + length >= end)
return *src + length - end; // Number of bytes missing return *src + length - end + 1; // Number of bytes missing
*dst= (char *)*src + 1; // Will be copied later *dst= (char *)*src + 1; // Will be copied later
} }
*len= length; *len= length;
(*src)+= *len + 1; *src+= length + 1;
return 0;
} }
static void copy_str_and_move(const char **src, static void copy_str_and_move(const char **src,
...@@ -1454,6 +1455,23 @@ static void copy_str_and_move(const char **src, ...@@ -1454,6 +1455,23 @@ static void copy_str_and_move(const char **src,
} }
static char const *code_name(int code) {
char buf[255];
switch (code) {
case Q_FLAGS2_CODE: return "Q_FLAGS2_CODE";
case Q_SQL_MODE_CODE: return "Q_SQL_MODE_CODE";
case Q_CATALOG_CODE: return "Q_CATALOG_CODE";
case Q_AUTO_INCREMENT: return "Q_AUTO_INCREMENT";
case Q_CHARSET_CODE: return "Q_CHARSET_CODE";
case Q_TIME_ZONE_CODE: return "Q_TIME_ZONE_CODE";
case Q_CATALOG_NZ_CODE: return "Q_CATALOG_NZ_CODE";
case Q_LC_TIME_NAMES_CODE: return "Q_LC_TIME_NAMES_CODE";
case Q_CHARSET_DATABASE_CODE: return "Q_CHARSET_DATABASE_CODE";
}
sprintf(buf, "CODE#%d", code);
return buf;
}
/** /**
Macro to check that there is enough space to read from memory. Macro to check that there is enough space to read from memory.
...@@ -1463,8 +1481,10 @@ static void copy_str_and_move(const char **src, ...@@ -1463,8 +1481,10 @@ static void copy_str_and_move(const char **src,
*/ */
#define CHECK_SPACE(PTR,END,CNT) \ #define CHECK_SPACE(PTR,END,CNT) \
do { \ do { \
DBUG_PRINT("info", ("Read %s", code_name(pos[-1]))); \
DBUG_ASSERT((PTR) + (CNT) <= (END)); \ DBUG_ASSERT((PTR) + (CNT) <= (END)); \
if ((PTR) + (CNT) > (END)) { \ if ((PTR) + (CNT) > (END)) { \
DBUG_PRINT("info", ("query= 0")); \
query= 0; \ query= 0; \
DBUG_VOID_RETURN; \ DBUG_VOID_RETURN; \
} \ } \
...@@ -1527,8 +1547,10 @@ Query_log_event::Query_log_event(const char* buf, uint event_len, ...@@ -1527,8 +1547,10 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
be even bigger, but this will suffice to catch most corruption be even bigger, but this will suffice to catch most corruption
errors that can lead to a crash. errors that can lead to a crash.
*/ */
if (status_vars_len >= min(data_len + 1, MAX_SIZE_LOG_EVENT_STATUS)) if (status_vars_len > min(data_len, MAX_SIZE_LOG_EVENT_STATUS))
{ {
DBUG_PRINT("info", ("status_vars_len: %d; data_len: %d; query= 0",
status_vars_len, data_len));
query= 0; query= 0;
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
...@@ -1571,8 +1593,11 @@ Query_log_event::Query_log_event(const char* buf, uint event_len, ...@@ -1571,8 +1593,11 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
break; break;
} }
case Q_CATALOG_NZ_CODE: case Q_CATALOG_NZ_CODE:
DBUG_PRINT("info", ("case Q_CATALOG_NZ_CODE; pos: 0x%lx; end: 0x%lx",
pos, end));
if (get_str_len_and_pointer(&pos, &catalog, &catalog_len, end)) if (get_str_len_and_pointer(&pos, &catalog, &catalog_len, end))
{ {
DBUG_PRINT("info", ("query= 0"));
query= 0; query= 0;
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
...@@ -1595,6 +1620,7 @@ Query_log_event::Query_log_event(const char* buf, uint event_len, ...@@ -1595,6 +1620,7 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
{ {
if (get_str_len_and_pointer(&pos, &time_zone_str, &time_zone_len, end)) if (get_str_len_and_pointer(&pos, &time_zone_str, &time_zone_len, end))
{ {
DBUG_PRINT("info", ("Q_TIME_ZONE_CODE: query= 0"));
query= 0; query= 0;
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
...@@ -2124,6 +2150,7 @@ end: ...@@ -2124,6 +2150,7 @@ end:
*/ */
thd->catalog= 0; thd->catalog= 0;
thd->set_db(NULL, 0); /* will free the current database */ thd->set_db(NULL, 0); /* will free the current database */
DBUG_PRINT("info", ("end: query= 0"));
thd->query= 0; // just to be sure thd->query= 0; // just to be sure
thd->query_length= 0; thd->query_length= 0;
VOID(pthread_mutex_unlock(&LOCK_thread_count)); VOID(pthread_mutex_unlock(&LOCK_thread_count));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment