#At file:///home/ram/mysql/b54393-5.1-bugteam/ based on revid:joerg@strippedmmiz4xeei4hvg
3436 Ramil Kalimullin 2010-06-18
Fix for bug #54393: crash and/or valgrind errors in
mysql_client_binlog_statement
Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.
Fix: never read from unassigned memory.
@ mysql-test/suite/binlog/r/binlog_base64_flag.result
Fix for bug #54393: crash and/or valgrind errors in
mysql_client_binlog_statement
- test result.
@ mysql-test/suite/binlog/t/binlog_base64_flag.test
Fix for bug #54393: crash and/or valgrind errors in
mysql_client_binlog_statement
- test case.
@ sql/sql_binlog.cc
Fix for bug #54393: crash and/or valgrind errors in
mysql_client_binlog_statement
- coded_len should not count trailing '/0';
- never read from unassigned memory.
modified:
mysql-test/suite/binlog/r/binlog_base64_flag.result
mysql-test/suite/binlog/t/binlog_base64_flag.test
sql/sql_binlog.cc
=== modified file 'mysql-test/suite/binlog/r/binlog_base64_flag.result'
--- a/mysql-test/suite/binlog/r/binlog_base64_flag.result 2008-08-04 05:04:47 +0000
+++ b/mysql-test/suite/binlog/r/binlog_base64_flag.result 2010-06-18 17:32:23 +0000
@@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4
';
ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info
drop table t1, char63_utf8, char128_utf8;
+#
+# Bug #54393: crash and/or valgrind errors in
+# mysql_client_binlog_statement
+#
+BINLOG '';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
+BINLOG '123';
+BINLOG '-2079193929';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
+BINLOG 'xç↓%~∙D╒ƒ╡';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
=== modified file 'mysql-test/suite/binlog/t/binlog_base64_flag.test'
--- a/mysql-test/suite/binlog/t/binlog_base64_flag.test 2008-06-30 20:11:18 +0000
+++ b/mysql-test/suite/binlog/t/binlog_base64_flag.test 2010-06-18 17:32:23 +0000
@@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4
';
drop table t1, char63_utf8, char128_utf8;
+
+
+--echo #
+--echo # Bug #54393: crash and/or valgrind errors in
+--echo # mysql_client_binlog_statement
+--echo #
+--error ER_SYNTAX_ERROR
+BINLOG '';
+BINLOG '123';
+--error ER_SYNTAX_ERROR
+BINLOG '-2079193929';
+--error ER_SYNTAX_ERROR
+BINLOG 'xç↓%~∙D╒ƒ╡';
=== modified file 'sql/sql_binlog.cc'
--- a/sql/sql_binlog.cc 2009-10-14 01:39:05 +0000
+++ b/sql/sql_binlog.cc 2010-06-18 17:32:23 +0000
@@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD*
if (check_global_access(thd, SUPER_ACL))
DBUG_VOID_RETURN;
- size_t coded_len= thd->lex->comment.length + 1;
+ size_t coded_len= thd->lex->comment.length;
+ if (!coded_len)
+ {
+ my_error(ER_SYNTAX_ERROR, MYF(0));
+ DBUG_VOID_RETURN;
+ }
size_t decoded_len= base64_needed_decoded_length(coded_len);
- DBUG_ASSERT(coded_len > 0);
/*
Allocation
@@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD*
/*
Checking that the first event in the buffer is not truncated.
*/
- ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET);
- DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
- event_len, bytes_decoded));
- if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len)
+ ulong event_len;
+ if (bytes_decoded < EVENT_LEN_OFFSET + 4 ||
+ (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) >
+ (uint) bytes_decoded)
{
my_error(ER_SYNTAX_ERROR, MYF(0));
goto end;
}
+ DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
+ event_len, bytes_decoded));
/*
If we have not seen any Format_description_event, then we must
@@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD*
bufptr += event_len;
DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code()));
-#ifndef HAVE_purify
- /*
- This debug printout should not be used for valgrind builds
- since it will read from unassigned memory.
- */
- DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx",
- (long) (bufptr+EVENT_TYPE_OFFSET)));
- DBUG_PRINT("info", ("bytes_decoded: %d bufptr: 0x%lx buf[EVENT_LEN_OFFSET]: %lu",
- bytes_decoded, (long) bufptr,
- (ulong) uint4korr(bufptr+EVENT_LEN_OFFSET)));
-#endif
ev->thd= thd;
/*
We go directly to the application phase, since we don't need
Attachment: [text/bzr-bundle] bzr/ramil@mysql.com-20100618173223-jh4jtofz2msbzk7o.bundle
Thread |
---|
• bzr commit into mysql-5.1-bugteam branch (ramil:3436) Bug#54393 | Ramil Kalimullin | 18 Jun |