Commit 936a2b11 authored by Ramil Kalimullin's avatar Ramil Kalimullin

Fix for bug #54393: crash and/or valgrind errors in

mysql_client_binlog_statement

Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.

Fix: never read from unassigned memory.
parent 218a15b7
...@@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA== ...@@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA==
'; ';
ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info
drop table t1, char63_utf8, char128_utf8; drop table t1, char63_utf8, char128_utf8;
#
# Bug #54393: crash and/or valgrind errors in
# mysql_client_binlog_statement
#
BINLOG '';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
BINLOG '123';
BINLOG '-2079193929';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
BINLOG 'xç↓%~∙D╒ƒ╡';
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
...@@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA== ...@@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4AQAAAAMAMTIzAQAAAA==
'; ';
drop table t1, char63_utf8, char128_utf8; drop table t1, char63_utf8, char128_utf8;
--echo #
--echo # Bug #54393: crash and/or valgrind errors in
--echo # mysql_client_binlog_statement
--echo #
--error ER_SYNTAX_ERROR
BINLOG '';
BINLOG '123';
--error ER_SYNTAX_ERROR
BINLOG '-2079193929';
--error ER_SYNTAX_ERROR
BINLOG 'xç↓%~∙D╒ƒ╡';
...@@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd) ...@@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* thd)
if (check_global_access(thd, SUPER_ACL)) if (check_global_access(thd, SUPER_ACL))
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
size_t coded_len= thd->lex->comment.length + 1; size_t coded_len= thd->lex->comment.length;
if (!coded_len)
{
my_error(ER_SYNTAX_ERROR, MYF(0));
DBUG_VOID_RETURN;
}
size_t decoded_len= base64_needed_decoded_length(coded_len); size_t decoded_len= base64_needed_decoded_length(coded_len);
DBUG_ASSERT(coded_len > 0);
/* /*
Allocation Allocation
...@@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd) ...@@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* thd)
/* /*
Checking that the first event in the buffer is not truncated. Checking that the first event in the buffer is not truncated.
*/ */
ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET); ulong event_len;
DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d", if (bytes_decoded < EVENT_LEN_OFFSET + 4 ||
event_len, bytes_decoded)); (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) >
if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len) (uint) bytes_decoded)
{ {
my_error(ER_SYNTAX_ERROR, MYF(0)); my_error(ER_SYNTAX_ERROR, MYF(0));
goto end; goto end;
} }
DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
event_len, bytes_decoded));
/* /*
If we have not seen any Format_description_event, then we must If we have not seen any Format_description_event, then we must
...@@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd) ...@@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* thd)
bufptr += event_len; bufptr += event_len;
DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code())); DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code()));
#ifndef HAVE_purify
/*
This debug printout should not be used for valgrind builds
since it will read from unassigned memory.
*/
DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx",
(long) (bufptr+EVENT_TYPE_OFFSET)));
DBUG_PRINT("info", ("bytes_decoded: %d bufptr: 0x%lx buf[EVENT_LEN_OFFSET]: %lu",
bytes_decoded, (long) bufptr,
(ulong) uint4korr(bufptr+EVENT_LEN_OFFSET)));
#endif
ev->thd= thd; ev->thd= thd;
/* /*
We go directly to the application phase, since we don't need We go directly to the application phase, since we don't need
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment