diff options
author | Sujatha <sujatha.sivakumar@mariadb.com> | 2019-12-18 15:02:23 +0530 |
---|---|---|
committer | Sujatha <sujatha.sivakumar@mariadb.com> | 2020-01-07 18:27:05 +0530 |
commit | d6fa69e4be945da174ae3445dc8203ece689f048 (patch) | |
tree | ba15ee22df89614eafb508a6e78f38c43bf0a149 | |
parent | 15781283eb4ec0eaf814565b9a4edd581eec6d3b (diff) | |
download | mariadb-git-d6fa69e4be945da174ae3445dc8203ece689f048.tar.gz |
MDEV-18046: Assortment of crashes, assertion failures and ASAN errors in mysql_show_binlog_events
Problem:
========
SHOW BINLOG EVENTS FROM <pos> reports following ASAN error
AddressSanitizer: heap-buffer-overflow on address 0x60400002acb8
Load_log_event::copy_log_event(char const*, unsigned long, int,
Format_description_log_event const*)
Fix:
===
**Part6: Moved the event_len validation to the begin of copy_log_event function**
-rw-r--r-- | sql/log_event.cc | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sql/log_event.cc b/sql/log_event.cc index ebc14e6571d..65ce94f2695 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -5891,6 +5891,8 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, { DBUG_ENTER("Load_log_event::copy_log_event"); uint data_len; + if ((int) event_len < body_offset) + DBUG_RETURN(1); char* buf_end = (char*)buf + event_len; /* this is the beginning of the post-header */ const char* data_head = buf + description_event->common_header_len; @@ -5900,9 +5902,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, table_name_len = (uint)data_head[L_TBL_LEN_OFFSET]; db_len = (uint)data_head[L_DB_LEN_OFFSET]; num_fields = uint4korr(data_head + L_NUM_FIELDS_OFFSET); - - if ((int) event_len < body_offset) - DBUG_RETURN(1); + /* Sql_ex.init() on success returns the pointer to the first byte after the sql_ex structure, which is the start of field lengths array. @@ -5911,7 +5911,7 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, buf_end, (uchar)buf[EVENT_TYPE_OFFSET] != LOAD_EVENT))) DBUG_RETURN(1); - + data_len = event_len - body_offset; if (num_fields > data_len) // simple sanity check against corruption DBUG_RETURN(1); |