Commit edc22384 authored by Ramil Kalimullin's avatar Ramil Kalimullin

Fix for bug #54393: crash and/or valgrind errors in

mysql_client_binlog_statement

Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.

Fix: never read from unassigned memory.


mysql-test/suite/binlog/r/binlog_base64_flag.result:
  Fix for bug #54393: crash and/or valgrind errors in
  mysql_client_binlog_statement
    - test result.
mysql-test/suite/binlog/t/binlog_base64_flag.test:
  Fix for bug #54393: crash and/or valgrind errors in
  mysql_client_binlog_statement
    - test case.
sql/sql_binlog.cc:
  Fix for bug #54393: crash and/or valgrind errors in
  mysql_client_binlog_statement
    - coded_len should not count trailing '/0';
    - never read from unassigned memory.
parent 37e6458b
......@@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA==
';
ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info
drop table t1, char63_utf8, char128_utf8;
#
# Bug #54393: crash and/or valgrind errors in
# mysql_client_binlog_statement
#
BINLOG '';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
BINLOG '123';
BINLOG '-2079193929';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
BINLOG 'xç↓%~∙D╒ƒ╡';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
......@@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA==
';
drop table t1, char63_utf8, char128_utf8;
--echo #
--echo # Bug #54393: crash and/or valgrind errors in
--echo # mysql_client_binlog_statement
--echo #
--error ER_SYNTAX_ERROR
BINLOG '';
BINLOG '123';
--error ER_SYNTAX_ERROR
BINLOG '-2079193929';
--error ER_SYNTAX_ERROR
BINLOG 'xç↓%~∙D╒ƒ╡';
......@@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd)
if (check_global_access(thd, SUPER_ACL))
DBUG_VOID_RETURN;
size_t coded_len= thd->lex->comment.length + 1;
size_t coded_len= thd->lex->comment.length;
if (!coded_len)
{
my_error(ER_SYNTAX_ERROR, MYF(0));
DBUG_VOID_RETURN;
}
size_t decoded_len= base64_needed_decoded_length(coded_len);
DBUG_ASSERT(coded_len > 0);
/*
Allocation
......@@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd)
/*
Checking that the first event in the buffer is not truncated.
*/
ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET);
DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
event_len, bytes_decoded));
if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len)
ulong event_len;
if (bytes_decoded < EVENT_LEN_OFFSET + 4 ||
(event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) >
(uint) bytes_decoded)
{
my_error(ER_SYNTAX_ERROR, MYF(0));
goto end;
}
DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
event_len, bytes_decoded));
/*
If we have not seen any Format_description_event, then we must
......@@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd)
bufptr += event_len;
DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code()));
#ifndef HAVE_purify
/*
This debug printout should not be used for valgrind builds
since it will read from unassigned memory.
*/
DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx",
(long) (bufptr+EVENT_TYPE_OFFSET)));
DBUG_PRINT("info", ("bytes_decoded: %d bufptr: 0x%lx buf[EVENT_LEN_OFFSET]: %lu",
bytes_decoded, (long) bufptr,
(ulong) uint4korr(bufptr+EVENT_LEN_OFFSET)));
#endif
ev->thd= thd;
/*
We go directly to the application phase, since we don't need
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment