MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events

Problem: ======== SHOW BINLOG EVENTS FROM <pos> reports following ASAN error "heap-buffer-overflow on address" and some times it asserts. Table_map_log_event::Table_map_log_event(const char*, uint, const Format_description_log_event*) Assertion `m_field_metadata_size <= (m_colcnt * 2)' failed. Fix: === **Part7: Avoid reading out of buffer** Converted debug assert to error handler code.

MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events
Problem: ======== SHOW BINLOG EVENTS FROM <pos> reports following ASAN error "heap-buffer-overflow on address" and some times it asserts. Table_map_log_event::Table_map_log_event(const char*, uint, const Format_description_log_event*) Assertion `m_field_metadata_size <= (m_colcnt * 2)' failed. Fix: === **Part7: Avoid reading out of buffer** Converted debug assert to error handler code.
2187f1c2 · Sujatha · d6fa69e4 · 2187f1c2
Commit 2187f1c2 authored Dec 18, 2019 by Sujatha
Show whitespace changes
Inline Side-by-side

Showing with 21 additions and 10 deletions

sql/log_event.cc sql/log_event.cc +21 -10

No files found.
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -11013,7 +11013,6 @@ Table_map_log_event::Table_map_log_event(const char *buf, uint event_len,
  uint8 post_header_len= description_event->post_header_len[TABLE_MAP_EVENT-1];
  DBUG_PRINT("info",("event_len: %u  common_header_len: %d  post_header_len: %d",
                     event_len, common_header_len, post_header_len));
  /*
    Don't print debug messages when running valgrind since they can
    trigger false warnings.
@@ -11022,6 +11021,9 @@ Table_map_log_event::Table_map_log_event(const char *buf, uint event_len,
  DBUG_DUMP("event buffer", (uchar*) buf, event_len);
 #endif
+  if (event_len < (uint)(common_header_len + post_header_len))
+    DBUG_VOID_RETURN;
  /* Read the post-header */
  const char *post_start= buf + common_header_len;
@@ -11084,7 +11086,8 @@ Table_map_log_event::Table_map_log_event(const char *buf, uint event_len,
    if (bytes_read < event_len)
    {
      m_field_metadata_size= net_field_length(&ptr_after_colcnt);
-      DBUG_ASSERT(m_field_metadata_size <= (m_colcnt * 2));
+      if(m_field_metadata_size <= (m_colcnt * 2))
+      {
        uint num_null_bytes= (m_colcnt + 7) / 8;
        m_meta_memory= (uchar *)my_multi_malloc(MYF(MY_WME),
            &m_null_bits, num_null_bytes,
@@ -11094,6 +11097,14 @@ Table_map_log_event::Table_map_log_event(const char *buf, uint event_len,
        ptr_after_colcnt= (uchar*)ptr_after_colcnt + m_field_metadata_size;
        memcpy(m_null_bits, ptr_after_colcnt, num_null_bytes);
      }
+      else
+      {
+        m_coltype= NULL;
+        my_free(m_memory);
+        m_memory= NULL;
+        DBUG_VOID_RETURN;
+      }
+    }
  }
  DBUG_VOID_RETURN;