Bug#19145712 USER AFTER FREE / DOUBLE FREE ISSUE

      
      Problem: A corrupted header length in FORMAT_DESCRIPTION_LOG_EVENT
      can cause server to crash.
      Analysis: FORMAT_DESCRIPTION_EVENT will be considered invalid if
      header len is too small (i.e. below OLD_HEADER_LEN).
      
      Format_description_log_event:: Format_description_log_event(...)
      {
        ...
        if ((common_header_len=buf[ST_COMMON_HEADER_LEN_OFFSET]) < OLD_HEADER_LEN)
          DBUG_VOID_RETURN; /* sanity check */
        ...
        post_header_len= my_memdup(...)
      }
      
      In that case Format_description_log_event constructor will return early,
      without allocating any memory for post_header_len. Thence this variable is
      left uninitialized and making server to crash when server is trying
      to free the uninitialized value.
      
      Fix: When Format_description_log_event constructor returns early, assign
      NULL to post_header_len.

1 files changed, 4 insertions, 0 deletions

diff --git a/sql/log_event.cc b/sql/log_event.cc
index 4f55d08933e..71ca722ffd6 100644
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -4087,7 +4087,11 @@ Format_description_log_event(const char* buf,
   DBUG_ENTER("Format_description_log_event::Format_description_log_event(char*,...)");
   buf+= LOG_EVENT_MINIMAL_HEADER_LEN;
   if ((common_header_len=buf[ST_COMMON_HEADER_LEN_OFFSET]) < OLD_HEADER_LEN)
+  {
+    /* this makes is_valid() return false. */
+    post_header_len= NULL;
     DBUG_VOID_RETURN; /* sanity check */
+  }
   number_of_event_types=
     event_len-(LOG_EVENT_MINIMAL_HEADER_LEN+ST_COMMON_HEADER_LEN_OFFSET+1);
   DBUG_PRINT("info", ("common_header_len=%d number_of_event_types=%d",