List:Commits« Previous MessageNext Message »
From:Luis Soares Date:September 22 2010 12:30am
Subject:bzr commit into mysql-next-mr-bugfixing branch (luis.soares:3298) Bug#56883
View as plain text  
#At file:///home/lsoares/Workspace/bzr/work/bugfixing/56883/mysql-next-mr-bugfixing/ based on revid:mats.kindahl@stripped

 3298 Luis Soares	2010-09-22
      BUG#56883: rpl_row_ignorable_event fails on valgrind run
      
      The buffer used in mysql_client_binlog_statement is never
      initialized. If an event is processed and its payload is handled
      as a null terminated string, then conditional jumps depending on
      uninitialized values may ocur. This was the case for
      Rows_query_log_event.
      
      We fix this by always setting a null terminator mark on byte
      'buf+event_len' when an event is decoded from the BINLOG
      statement. Given that the buffer is reused for all events on a
      BINLOG statement, then this is also an extra security measure
      against dumping garbage from a previous event somehow...

    modified:
      sql/sql_binlog.cc
=== modified file 'sql/sql_binlog.cc'
--- a/sql/sql_binlog.cc	2010-09-21 11:32:50 +0000
+++ b/sql/sql_binlog.cc	2010-09-22 00:30:33 +0000
@@ -232,6 +232,14 @@ void mysql_client_binlog_statement(THD* 
       DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
                           event_len, bytes_decoded));
 
+      /* 
+        'buf' is reused on every iteration (new event decoding and apply), 
+        so better make it a NULL terminated string, so that no conditional 
+        jumps depending on uninitialized strings happen. (eg, as potentially 
+        that could be the case in Rows_query_log_event - BUG#56883).
+       */
+      *(bufptr+event_len)= '\0';
+
       if (check_event_type(bufptr[EVENT_TYPE_OFFSET], rli))
         goto end;
 


Attachment: [text/bzr-bundle] bzr/luis.soares@oracle.com-20100922003033-5ae8jyvzp7wgam43.bundle
Thread
bzr commit into mysql-next-mr-bugfixing branch (luis.soares:3298) Bug#56883Luis Soares22 Sep
  • Re: bzr commit into mysql-next-mr-bugfixing branch (luis.soares:3298)Bug#56883Sven Sandberg23 Sep
    • Re: bzr commit into mysql-next-mr-bugfixing branch (luis.soares:3298)Bug#56883Luís Soares24 Sep