diff options
| author | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-01-10 15:11:56 +0530 |
|---|---|---|
| committer | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-01-10 15:11:56 +0530 |
| commit | 605aa82f5d0ae0a7521d06a9a0911b453e9dbf0d (patch) | |
| tree | 0f7dd2d26879b656358608ca7b776d7b3961c414 /include | |
| parent | d94513ca85ac4cb8e79cfe098a8e2dda1e9e51f6 (diff) | |
| download | mariadb-git-605aa82f5d0ae0a7521d06a9a0911b453e9dbf0d.tar.gz | |
Bug#17081415:>=4GB ROW EVENT CRASHES SERVER WITH WILD MEMCPY
OF ROW DATA
Problem:
========
Inserting a row larger than 4G when server uses RBR leads
to crash.
Analysis:
========
Row-based binary logging logs changes in individual table
rows. During the execution of DML statements in RBR the
actual row data will be stored within "m_rows_buf" buffer
and this buffer contents will be written to binary log.
"m_rows_buf" is prepared within the following function
"Rows_log_event::do_add_row_data".
When a huge row is specified as in this bug scenario where
row size is 4294971520 > UINT_MAX (4294967295) then the
"m_rows_buf" is reallocated to accommodate the row data and
then the row is copied to the buffer. During this realloc
call, the length is getting type casted to "uint" which
results in overflow. Because of the overflow the reallocated
memory happens to be incorrect than what was requested
and it results in a crash during copy of rowdata to buffer.
Hence rows of size > 4GB cannot be written to binary log.
By default the event_length can be stored within 4 bytes
which in turn restricts an event's size to grow. Hence large
rows cannot be replicated using row based replication.
Fix:
===
An error is generated if the row size exceeds 4GB value.
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions