#At file:///home/lsoares/Workspace/bzr/work/bugfixing/56883/mysql-next-mr-bugfixing/ based on revid:mats.kindahl@stripped
3298 Luis Soares 2010-09-22
BUG#56883: rpl_row_ignorable_event fails on valgrind run
The buffer used in mysql_client_binlog_statement is never
initialized. If an event is processed and its payload is handled
as a null terminated string, then conditional jumps depending on
uninitialized values may ocur. This was the case for
Rows_query_log_event.
We fix this by always setting a null terminator mark on byte
'buf+event_len' when an event is decoded from the BINLOG
statement. Given that the buffer is reused for all events on a
BINLOG statement, then this is also an extra security measure
against dumping garbage from a previous event somehow...
modified:
sql/sql_binlog.cc
=== modified file 'sql/sql_binlog.cc'
--- a/sql/sql_binlog.cc 2010-09-21 11:32:50 +0000
+++ b/sql/sql_binlog.cc 2010-09-22 00:30:33 +0000
@@ -232,6 +232,14 @@ void mysql_client_binlog_statement(THD*
DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
event_len, bytes_decoded));
+ /*
+ 'buf' is reused on every iteration (new event decoding and apply),
+ so better make it a NULL terminated string, so that no conditional
+ jumps depending on uninitialized strings happen. (eg, as potentially
+ that could be the case in Rows_query_log_event - BUG#56883).
+ */
+ *(bufptr+event_len)= '\0';
+
if (check_event_type(bufptr[EVENT_TYPE_OFFSET], rli))
goto end;
Attachment: [text/bzr-bundle] bzr/luis.soares@oracle.com-20100922003033-5ae8jyvzp7wgam43.bundle
