diff options
| author | Nuno Carvalho <nuno.carvalho@oracle.com> | 2012-10-12 08:32:10 +0100 |
|---|---|---|
| committer | Nuno Carvalho <nuno.carvalho@oracle.com> | 2012-10-12 08:32:10 +0100 |
| commit | f1d3b0f19011217c13927f44a82e8e17291fbba7 (patch) | |
| tree | a14d05446ba13c143defb677b91cdb209503b0f8 /sql/log_event.h | |
| parent | 1d16fc16dc50d21e2456d6367cea20f83404ffc6 (diff) | |
| download | mariadb-git-f1d3b0f19011217c13927f44a82e8e17291fbba7.tar.gz | |
BUG#14629727: USER_VAR_EVENT IS MISSING RANGE CHECKS
This bug had two problems:
P1) Reads out of bounds;
P2) Writes out of bounds.
PROBLEM P1
----------
User_var_log_event unmarshalling from binlog was not performing range
checks when using name_len and val_len variables to walk on event
buffer.
Added range checks to User_var_log_event unmarshalling to prevent
unmarshalling errors.
PROBLEM P2
----------
User_var_log_event value was allocated on thread stack, what caused
stack frame errors when User_var_log_event value was bigger than thread
stack size.
Currently value is allocated on heap memory.
Diffstat (limited to 'sql/log_event.h')
| -rw-r--r-- | sql/log_event.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sql/log_event.h b/sql/log_event.h index ba6b9b876aa..c36564fcde8 100644 --- a/sql/log_event.h +++ b/sql/log_event.h @@ -2496,7 +2496,7 @@ public: void print(FILE* file, PRINT_EVENT_INFO* print_event_info); #endif - User_var_log_event(const char* buf, + User_var_log_event(const char* buf, uint event_len, const Format_description_log_event *description_event); ~User_var_log_event() {} Log_event_type get_type_code() { return USER_VAR_EVENT;} @@ -2510,7 +2510,7 @@ public: bool is_deferred() { return deferred; } void set_deferred() { deferred= true; } #endif - bool is_valid() const { return 1; } + bool is_valid() const { return name != 0; } private: #if !defined(MYSQL_CLIENT) && defined(HAVE_REPLICATION) |