MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Ramil Kalimullin Date:June 18 2010 5:32pm
Subject:bzr commit into mysql-5.1-bugteam branch (ramil:3436) Bug#54393
View as plain text  
#At file:///home/ram/mysql/b54393-5.1-bugteam/ based on revid:joerg@strippedmmiz4xeei4hvg

 3436 Ramil Kalimullin	2010-06-18
      Fix for bug #54393: crash and/or valgrind errors in
      mysql_client_binlog_statement
      
      Problem: server may read from unassigned memory performing
      "wrong" BINLOG queries.
      
      Fix: never read from unassigned memory.
     @ mysql-test/suite/binlog/r/binlog_base64_flag.result
        Fix for bug #54393: crash and/or valgrind errors in
        mysql_client_binlog_statement
          - test result.
     @ mysql-test/suite/binlog/t/binlog_base64_flag.test
        Fix for bug #54393: crash and/or valgrind errors in
        mysql_client_binlog_statement
          - test case.
     @ sql/sql_binlog.cc
        Fix for bug #54393: crash and/or valgrind errors in
        mysql_client_binlog_statement
          - coded_len should not count trailing '/0';
          - never read from unassigned memory.

    modified:
      mysql-test/suite/binlog/r/binlog_base64_flag.result
      mysql-test/suite/binlog/t/binlog_base64_flag.test
      sql/sql_binlog.cc
=== modified file 'mysql-test/suite/binlog/r/binlog_base64_flag.result'
--- a/mysql-test/suite/binlog/r/binlog_base64_flag.result	2008-08-04 05:04:47 +0000
+++ b/mysql-test/suite/binlog/r/binlog_base64_flag.result	2010-06-18 17:32:23 +0000
@@ -91,3 +91,14 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4
 ';
 ERROR HY000: master may suffer from http://bugs.mysql.com/bug.php?id=37426 so slave stops; check error log on slave for more info
 drop table t1, char63_utf8, char128_utf8;
+#
+# Bug #54393: crash and/or valgrind errors in 
+# mysql_client_binlog_statement
+#
+BINLOG '';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
+BINLOG '123';
+BINLOG '-2079193929';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
+BINLOG 'xç↓%~∙D╒ƒ╡';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use

=== modified file 'mysql-test/suite/binlog/t/binlog_base64_flag.test'
--- a/mysql-test/suite/binlog/t/binlog_base64_flag.test	2008-06-30 20:11:18 +0000
+++ b/mysql-test/suite/binlog/t/binlog_base64_flag.test	2010-06-18 17:32:23 +0000
@@ -150,3 +150,16 @@ iONkSBcBAAAAKwAAAMQBAAAQABAAAAAAAAEAA//4
 ';
 
 drop table t1, char63_utf8, char128_utf8;
+
+
+--echo #
+--echo # Bug #54393: crash and/or valgrind errors in 
+--echo # mysql_client_binlog_statement
+--echo #
+--error ER_SYNTAX_ERROR
+BINLOG '';
+BINLOG '123';
+--error ER_SYNTAX_ERROR
+BINLOG '-2079193929';
+--error ER_SYNTAX_ERROR
+BINLOG 'xç↓%~∙D╒ƒ╡';

=== modified file 'sql/sql_binlog.cc'
--- a/sql/sql_binlog.cc	2009-10-14 01:39:05 +0000
+++ b/sql/sql_binlog.cc	2010-06-18 17:32:23 +0000
@@ -42,9 +42,13 @@ void mysql_client_binlog_statement(THD* 
   if (check_global_access(thd, SUPER_ACL))
     DBUG_VOID_RETURN;
 
-  size_t coded_len= thd->lex->comment.length + 1;
+  size_t coded_len= thd->lex->comment.length;
+  if (!coded_len)
+  {
+    my_error(ER_SYNTAX_ERROR, MYF(0));
+    DBUG_VOID_RETURN;
+  }
   size_t decoded_len= base64_needed_decoded_length(coded_len);
-  DBUG_ASSERT(coded_len > 0);
 
   /*
     Allocation
@@ -145,14 +149,16 @@ void mysql_client_binlog_statement(THD* 
       /*
         Checking that the first event in the buffer is not truncated.
       */
-      ulong event_len= uint4korr(bufptr + EVENT_LEN_OFFSET);
-      DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
-                          event_len, bytes_decoded));
-      if (bytes_decoded < EVENT_LEN_OFFSET || (uint) bytes_decoded < event_len)
+      ulong event_len;
+      if (bytes_decoded < EVENT_LEN_OFFSET + 4 || 
+          (event_len= uint4korr(bufptr + EVENT_LEN_OFFSET)) > 
+           (uint) bytes_decoded)
       {
         my_error(ER_SYNTAX_ERROR, MYF(0));
         goto end;
       }
+      DBUG_PRINT("info", ("event_len=%lu, bytes_decoded=%d",
+                          event_len, bytes_decoded));
 
       /*
         If we have not seen any Format_description_event, then we must
@@ -190,17 +196,6 @@ void mysql_client_binlog_statement(THD* 
       bufptr += event_len;
 
       DBUG_PRINT("info",("ev->get_type_code()=%d", ev->get_type_code()));
-#ifndef HAVE_purify
-      /*
-        This debug printout should not be used for valgrind builds
-        since it will read from unassigned memory.
-      */
-      DBUG_PRINT("info",("bufptr+EVENT_TYPE_OFFSET: 0x%lx",
-                         (long) (bufptr+EVENT_TYPE_OFFSET)));
-      DBUG_PRINT("info", ("bytes_decoded: %d   bufptr: 0x%lx  buf[EVENT_LEN_OFFSET]: %lu",
-                          bytes_decoded, (long) bufptr,
-                          (ulong) uint4korr(bufptr+EVENT_LEN_OFFSET)));
-#endif
       ev->thd= thd;
       /*
         We go directly to the application phase, since we don't need

Attachment: [text/bzr-bundle] bzr/ramil@mysql.com-20100618173223-jh4jtofz2msbzk7o.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (ramil:3436) Bug#54393Ramil Kalimullin18 Jun