Bug#14771299 OUT-OF-BOUND READS WRITE IN MYSQLBINLOG

Problem:
=======
Found using AddressSanitizer testing.

The mysqlbinlog utility may result in out-of-bound heap
buffer reads and thus, undefined behaviour, when processing
RBR events in the old (pre-5.1 GA) format.

The following code in process_event() would only be correct
if Rows_log_event was the base class for
Write,Update,Delete_rows_log_event_old classes:

    case PRE_GA_WRITE_ROWS_EVENT:
    case PRE_GA_DELETE_ROWS_EVENT:
    case PRE_GA_UPDATE_ROWS_EVENT:
...
        Rows_log_event *e= (Rows_log_event*) ev;
        Table_map_log_event *ignored_map=
          print_event_info->m_table_map_ignored.get_table(e->get_table_id());
...
        if (e->get_flags(Rows_log_event::STMT_END_F))
        {
...
        }

However, Rows_log_event is only the base class for the
Write,Update_Delete_rows_event family of classes, but not
for their *_old counterparts. So the above typecasts are
incorrect for the old-format RBR events and may result (and
do result according to AddressSanitizer reports) in reading
memory outside of the previously allocated on heap buffer.

Fix:
===
The above mentioned invalid type cast has been replaced with
appropriate old counterpart.

Note:The above mentioned issue is present only mysql-5.1 and
5.5. This is fixed in mysql-5.6 and above as part of 
Bug#55790. Hence few of the relevant changes of Bug#55790 are
being back ported to fix the current issue.

client/mysqlbinlog.cc:
  The above mentioned invalid type cast of using new event
  object to read old events, has been replaced with
  appropriate old counterpart.
  
  Note:The above mentioned issue is present only mysql-5.1 and
  5.5. This is fixed in mysql-5.6 and above as part of 
  Bug#55790. Hence few of the relevant changes of Bug#55790 are
  being back ported to fix the current issue.

0 files changed, 0 insertions, 0 deletions