BUG#31793 (log event corruption causes crash):

Corrections to get_str_len_and_pointer().
parent a88babcb
......@@ -1436,11 +1436,12 @@ get_str_len_and_pointer(const Log_event::Byte **src,
if (length > 0)
{
if (*src + length >= end)
return *src + length - end; // Number of bytes missing
return *src + length - end + 1; // Number of bytes missing
*dst= (char *)*src + 1; // Will be copied later
}
*len= length;
(*src)+= *len + 1;
*src+= length + 1;
return 0;
}
static void copy_str_and_move(const char **src,
......@@ -1454,6 +1455,23 @@ static void copy_str_and_move(const char **src,
}
static char const *code_name(int code) {
char buf[255];
switch (code) {
case Q_FLAGS2_CODE: return "Q_FLAGS2_CODE";
case Q_SQL_MODE_CODE: return "Q_SQL_MODE_CODE";
case Q_CATALOG_CODE: return "Q_CATALOG_CODE";
case Q_AUTO_INCREMENT: return "Q_AUTO_INCREMENT";
case Q_CHARSET_CODE: return "Q_CHARSET_CODE";
case Q_TIME_ZONE_CODE: return "Q_TIME_ZONE_CODE";
case Q_CATALOG_NZ_CODE: return "Q_CATALOG_NZ_CODE";
case Q_LC_TIME_NAMES_CODE: return "Q_LC_TIME_NAMES_CODE";
case Q_CHARSET_DATABASE_CODE: return "Q_CHARSET_DATABASE_CODE";
}
sprintf(buf, "CODE#%d", code);
return buf;
}
/**
Macro to check that there is enough space to read from memory.
......@@ -1463,8 +1481,10 @@ static void copy_str_and_move(const char **src,
*/
#define CHECK_SPACE(PTR,END,CNT) \
do { \
DBUG_PRINT("info", ("Read %s", code_name(pos[-1]))); \
DBUG_ASSERT((PTR) + (CNT) <= (END)); \
if ((PTR) + (CNT) > (END)) { \
DBUG_PRINT("info", ("query= 0")); \
query= 0; \
DBUG_VOID_RETURN; \
} \
......@@ -1527,8 +1547,10 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
be even bigger, but this will suffice to catch most corruption
errors that can lead to a crash.
*/
if (status_vars_len >= min(data_len + 1, MAX_SIZE_LOG_EVENT_STATUS))
if (status_vars_len > min(data_len, MAX_SIZE_LOG_EVENT_STATUS))
{
DBUG_PRINT("info", ("status_vars_len: %d; data_len: %d; query= 0",
status_vars_len, data_len));
query= 0;
DBUG_VOID_RETURN;
}
......@@ -1571,8 +1593,11 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
break;
}
case Q_CATALOG_NZ_CODE:
DBUG_PRINT("info", ("case Q_CATALOG_NZ_CODE; pos: 0x%lx; end: 0x%lx",
pos, end));
if (get_str_len_and_pointer(&pos, &catalog, &catalog_len, end))
{
DBUG_PRINT("info", ("query= 0"));
query= 0;
DBUG_VOID_RETURN;
}
......@@ -1595,6 +1620,7 @@ Query_log_event::Query_log_event(const char* buf, uint event_len,
{
if (get_str_len_and_pointer(&pos, &time_zone_str, &time_zone_len, end))
{
DBUG_PRINT("info", ("Q_TIME_ZONE_CODE: query= 0"));
query= 0;
DBUG_VOID_RETURN;
}
......@@ -2124,6 +2150,7 @@ end:
*/
thd->catalog= 0;
thd->set_db(NULL, 0); /* will free the current database */
DBUG_PRINT("info", ("end: query= 0"));
thd->query= 0; // just to be sure
thd->query_length= 0;
VOID(pthread_mutex_unlock(&LOCK_thread_count));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment