-
Venkatesh Duggirala authored
Problem: A corrupted header length in FORMAT_DESCRIPTION_LOG_EVENT can cause server to crash. Analysis: FORMAT_DESCRIPTION_EVENT will be considered invalid if header len is too small (i.e. below OLD_HEADER_LEN). Format_description_log_event:: Format_description_log_event(...) { ... if ((common_header_len=buf[ST_COMMON_HEADER_LEN_OFFSET]) < OLD_HEADER_LEN) DBUG_VOID_RETURN; /* sanity check */ ... post_header_len= my_memdup(...) } In that case Format_description_log_event constructor will return early, without allocating any memory for post_header_len. Thence this variable is left uninitialized and making server to crash when server is trying to free the uninitialized value. Fix: When Format_description_log_event constructor returns early, assign NULL to post_header_len.a7975870
