Details
-
Bug
-
Status: Done
-
High
-
Resolution: Fixed
-
None
-
None
-
None
Description
**Reported in Launchpad by Alexey Kopytov last update 24-03-2016 09:45:51
Found using AddressSanitizer testing.
The mysqlbinlog utility may result in out-of-bound heap buffer reads and thus, undefined behavior, when processing RBR events in the old (pre-5.1 GA) format.
The following code in process_event() would only be correct if Rows_log_event was the base class for
{Write,Update,Delete}_rows_log_event_old classes:
case WRITE_ROWS_EVENT:
case DELETE_ROWS_EVENT:
case UPDATE_ROWS_EVENT:
case PRE_GA_WRITE_ROWS_EVENT:
case PRE_GA_DELETE_ROWS_EVENT:
case PRE_GA_UPDATE_ROWS_EVENT:
...
Rows_log_event e= (Rows_log_event) ev;
Table_map_log_event *ignored_map=
print_event_info->m_table_map_ignored.get_table(e->get_table_id());
...
if (e->get_flags(Rows_log_event::STMT_END_F))
However, Rows_log_event is only the base class for the
{Write,Update_Delete}_rows_event family of classes, but not for their *_old counterparts. So the above typecasts are incorrect for the old-format RBR events and may result (and do result according to AddressSanitizer reports) in reading memory outside of the previously allocated on heap buffer.
How to repeat:
Examine the code in process_event() or run binlog.binlog_base64_flag or binlog.binlog_old_versions tests with a AddressSanitizer-instrumented mysqlbinlog.