diff options
| author | Ramil Kalimullin <ramil@mysql.com> | 2010-06-18 21:32:23 +0400 |
|---|---|---|
| committer | Ramil Kalimullin <ramil@mysql.com> | 2010-06-18 21:32:23 +0400 |
| commit | 936a2b111ad375d4affc7b89ed1d9fe7570bcaf5 (patch) | |
| tree | 065840ea9fc5e06f7f8f37d797c8249c29a7ca05 /sql/sql_binlog.cc | |
| parent | 218a15b76a35ab2664f0617fda08698890b1cdff (diff) | |
| download | mariadb-git-936a2b111ad375d4affc7b89ed1d9fe7570bcaf5.tar.gz | |
Fix for bug #54393: crash and/or valgrind errors in
mysql_client_binlog_statement
Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.
Fix: never read from unassigned memory.
Diffstat (limited to 'sql/sql_binlog.cc')
| -rw-r--r-- | sql/sql_binlog.cc | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/sql/sql_binlog.cc b/sql/sql_binlog.cc index ee51480411b..82de6feb1a9 100644 --- a/sql/sql_binlog.cc +++ b/sql/sql_binlog.cc @@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd) if (check_global_access(thd, SUPER_ACL)) DBUG_VOID_RETURN; - size_t coded_len= thd->lex->comment.length + 1; + size_t coded_len= thd->lex->comment.length; + if (!coded_len) + { + my_error(ER_SYNTAX_ERROR, MYF(0)); + DBUG_VOID_RETURN; + } size_t decoded_len= base64_needed_decoded_length(coded_len); - DBUG_ASSERT(coded_len > 0); /* Allocation @@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd) /* Checking that the first event in the buffer is not truncated. */ - ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET); - DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d", - event_len, bytes_decoded)); - if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len) + ulong event_len; + if (bytes_decoded < EVENT_LEN_OFFSET + 4 || + (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) > + (uint) bytes_decoded) { my_error(ER_SYNTAX_ERROR, MYF(0)); goto end; } + DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d", + event_len, bytes_decoded)); /* If we have not seen any Format_description_event, then we must @@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd) bufptr += event_len; DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code())); -#ifndef HAVE_purify - /* - This debug printout should not be used for valgrind builds - since it will read from unassigned memory. - */ - DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx", - (long) (bufptr+EVENT_TYPE_OFFSET))); - DBUG_PRINT("info", ("bytes_decoded: %d bufptr: 0x%lx buf[EVENT_LEN_OFFSET]: %lu", - bytes_decoded, (long) bufptr, - (ulong) uint4korr(bufptr+EVENT_LEN_OFFSET))); -#endif ev->thd= thd; /* We go directly to the application phase, since we don't need |