diff options
Diffstat (limited to 'sql/log_event.cc')
-rw-r--r-- | sql/log_event.cc | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/sql/log_event.cc b/sql/log_event.cc index d0cfa799d3c..0aa53a6f2bd 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -19,6 +19,7 @@ #ifdef MYSQL_CLIENT #include "sql_priv.h" +#include "mysqld_error.h" #else @@ -2424,6 +2425,14 @@ Rows_log_event::print_verbose_one_row(IO_CACHE *file, table_def *td, else { my_b_printf(file, "### @%d=", i + 1); + size_t fsize= td->calc_field_size((uint)i, (uchar*) value); + if (value + fsize > m_rows_end) + { + my_b_printf(file, "***Corrupted replication event was detected." + " Not printing the value***\n"); + value+= fsize; + return 0; + } size_t size= log_event_print_value(file, value, td->type(i), td->field_metadata(i), typestr, sizeof(typestr)); @@ -5440,11 +5449,22 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, fields = (char*)field_lens + num_fields; table_name = fields + field_block_len; db = table_name + table_name_len + 1; + DBUG_EXECUTE_IF ("simulate_invalid_address", + db_len = data_len;); fname = db + db_len + 1; + if ((db_len > data_len) || (fname > buf_end)) + goto err; fname_len = (uint) strlen(fname); + if ((fname_len > data_len) || (fname + fname_len > buf_end)) + goto err; // null termination is accomplished by the caller doing buf[event_len]=0 DBUG_RETURN(0); + +err: + // Invalid event. + table_name = 0; + DBUG_RETURN(1); } |