summaryrefslogtreecommitdiff
path: root/sql/log_event.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sql/log_event.cc')
-rw-r--r--sql/log_event.cc20
1 files changed, 20 insertions, 0 deletions
diff --git a/sql/log_event.cc b/sql/log_event.cc
index 73686a2fd0c..826a45f6da8 100644
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -19,6 +19,7 @@
#ifdef MYSQL_CLIENT
#include "sql_priv.h"
+#include "mysqld_error.h"
#else
@@ -2250,6 +2251,14 @@ Rows_log_event::print_verbose_one_row(IO_CACHE *file, table_def *td,
else
{
my_b_printf(file, "### @%d=", i + 1);
+ size_t fsize= td->calc_field_size((uint)i, (uchar*) value);
+ if (value + fsize > m_rows_end)
+ {
+ my_b_printf(file, "***Corrupted replication event was detected."
+ " Not printing the value***\n");
+ value+= fsize;
+ return 0;
+ }
size_t size= log_event_print_value(file, value,
td->type(i), td->field_metadata(i),
typestr, sizeof(typestr));
@@ -5162,11 +5171,22 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len,
fields = (char*)field_lens + num_fields;
table_name = fields + field_block_len;
db = table_name + table_name_len + 1;
+ DBUG_EXECUTE_IF ("simulate_invalid_address",
+ db_len = data_len;);
fname = db + db_len + 1;
+ if ((db_len > data_len) || (fname > buf_end))
+ goto err;
fname_len = (uint) strlen(fname);
+ if ((fname_len > data_len) || (fname + fname_len > buf_end))
+ goto err;
// null termination is accomplished by the caller doing buf[event_len]=0
DBUG_RETURN(0);
+
+err:
+ // Invalid event.
+ table_name = 0;
+ DBUG_RETURN(1);
}