BUG#31793 (log event corruption causes crash):

When running mysqlbinlog on a 64-bit machine with a corrupt relay log,
it causes mysqlbinlog to crash. In this case, the crash is caused
because a request for 18446744073709534806U bytes is issued, which
apparantly can be served on a 64-bit machine (speculatively, I assume)
but this causes the memcpy() issued later to copy the data to segfault.

The request for the number of bytes is caused by a computation
of data_len - server_vars_len where server_vars_len is corrupt in such
a sense that it is > data_len. This causes a wrap-around, with the
the data_len given above.

This patch adds a check that if server_vars_len is greater than
data_len before the substraction, and aborts reading the event in
that case marking the event as invalid. It also adds checks to see
that reading the server variables does not go outside the bounds
of the available space, giving a limited amount of integrity check.


mysql-test/r/mysqlbinlog.result:
  Result change.
mysql-test/t/mysqlbinlog.test:
  Adding test that it fails gracefully for a corrupt relay log.
sql/log_event.cc:
  Adding check that status var length does not cause wrap-around
  when performing subtraction. Extending get_str_len_and_pointer() to
  check that the string can actually be read without reading outside
  bounds. Adding checks when reading server variables from the Query-
  log_event so that the variable can really be read. Abort reading
  and mark the event as invalid otherwise.
mysql-test/std_data/corrupt-relay-bin.000624:
  BitKeeper file /home/mats/devel/b31793-mysql-5.0-rpl/mysql-test/std_data/corrupt-relay-bin.000624

1 files changed, 0 insertions, 0 deletions

diff --git a/mysql-test/std_data/corrupt-relay-bin.000624 b/mysql-test/std_data/corrupt-relay-bin.000624
new file mode 100644
index 00000000000..21b4901211c
--- /dev/null
+++ b/mysql-test/std_data/corrupt-relay-bin.000624