mirror of
https://github.com/MariaDB/server.git
synced 2025-01-17 12:32:27 +01:00
Bug#19145712 USER AFTER FREE / DOUBLE FREE ISSUE
Problem: A corrupted header length in FORMAT_DESCRIPTION_LOG_EVENT can cause server to crash. Analysis: FORMAT_DESCRIPTION_EVENT will be considered invalid if header len is too small (i.e. below OLD_HEADER_LEN). Format_description_log_event:: Format_description_log_event(...) { ... if ((common_header_len=buf[ST_COMMON_HEADER_LEN_OFFSET]) < OLD_HEADER_LEN) DBUG_VOID_RETURN; /* sanity check */ ... post_header_len= my_memdup(...) } In that case Format_description_log_event constructor will return early, without allocating any memory for post_header_len. Thence this variable is left uninitialized and making server to crash when server is trying to free the uninitialized value. Fix: When Format_description_log_event constructor returns early, assign NULL to post_header_len.
This commit is contained in:
parent
341ca222cf
commit
2b33138d00
1 changed files with 4 additions and 0 deletions
|
@ -4087,7 +4087,11 @@ Format_description_log_event(const char* buf,
|
|||
DBUG_ENTER("Format_description_log_event::Format_description_log_event(char*,...)");
|
||||
buf+= LOG_EVENT_MINIMAL_HEADER_LEN;
|
||||
if ((common_header_len=buf[ST_COMMON_HEADER_LEN_OFFSET]) < OLD_HEADER_LEN)
|
||||
{
|
||||
/* this makes is_valid() return false. */
|
||||
post_header_len= NULL;
|
||||
DBUG_VOID_RETURN; /* sanity check */
|
||||
}
|
||||
number_of_event_types=
|
||||
event_len-(LOG_EVENT_MINIMAL_HEADER_LEN+ST_COMMON_HEADER_LEN_OFFSET+1);
|
||||
DBUG_PRINT("info", ("common_header_len=%d number_of_event_types=%d",
|
||||
|
|
Loading…
Reference in a new issue