Commit 0e15ae16 authored by Marko Mäkelä's avatar Marko Mäkelä

recv_report_corrupt_log(): Avoid buffer overflow

If recv_sys_justify_left_parsing_buf() has been invoked, it is possible
that recv_previous_parsed_rec_offset is after the current offset.
In this case, we must not dump any bytes before the current record.
parent bdf50c3e
...@@ -2308,30 +2308,30 @@ recv_report_corrupt_log( ...@@ -2308,30 +2308,30 @@ recv_report_corrupt_log(
ib::error() << ib::error() <<
"############### CORRUPT LOG RECORD FOUND ##################"; "############### CORRUPT LOG RECORD FOUND ##################";
const ulint ptr_offset = ulint(ptr - recv_sys->buf);
ib::info() << "Log record type " << type << ", page " << space << ":" ib::info() << "Log record type " << type << ", page " << space << ":"
<< page_no << ". Log parsing proceeded successfully up to " << page_no << ". Log parsing proceeded successfully up to "
<< recv_sys->recovered_lsn << ". Previous log record type " << recv_sys->recovered_lsn << ". Previous log record type "
<< recv_previous_parsed_rec_type << ", is multi " << recv_previous_parsed_rec_type << ", is multi "
<< recv_previous_parsed_rec_is_multi << " Recv offset " << recv_previous_parsed_rec_is_multi << " Recv offset "
<< (ptr - recv_sys->buf) << ", prev " << ptr_offset << ", prev "
<< recv_previous_parsed_rec_offset; << recv_previous_parsed_rec_offset;
ut_ad(ptr <= recv_sys->buf + recv_sys->len); ut_ad(ptr <= recv_sys->buf + recv_sys->len);
const ulint limit = 100; const ulint limit = 100;
const ulint before const ulint prev_offset = std::min(recv_previous_parsed_rec_offset,
= std::min(recv_previous_parsed_rec_offset, limit); ptr_offset);
const ulint after const ulint before = std::min(prev_offset, limit);
= std::min(recv_sys->len - (ptr - recv_sys->buf), limit); const ulint after = std::min(recv_sys->len - ptr_offset, limit);
ib::info() << "Hex dump starting " << before << " bytes before and" ib::info() << "Hex dump starting " << before << " bytes before and"
" ending " << after << " bytes after the corrupted record:"; " ending " << after << " bytes after the corrupted record:";
ut_print_buf(stderr, const byte* start = recv_sys->buf + prev_offset - before;
recv_sys->buf
+ recv_previous_parsed_rec_offset - before, ut_print_buf(stderr, start, ulint(ptr - start) + after);
ptr - recv_sys->buf + before + after
- recv_previous_parsed_rec_offset);
putc('\n', stderr); putc('\n', stderr);
if (!srv_force_recovery) { if (!srv_force_recovery) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment