diff options
author | Marko Mäkelä <marko.makela@mariadb.com> | 2022-09-16 14:10:45 +0300 |
---|---|---|
committer | Marko Mäkelä <marko.makela@mariadb.com> | 2022-09-16 14:10:45 +0300 |
commit | 593fdee3973ce4ab4890a6fb9f740b3a28a44edc (patch) | |
tree | bbb59f4939f285ad1c97548e24e5a15923a52235 /mysql-test/suite/engines/funcs/r/rpl_do_grant.result | |
parent | d2cae171d1a105d52e10757aa268aebd9387ed24 (diff) | |
download | mariadb-git-593fdee3973ce4ab4890a6fb9f740b3a28a44edc.tar.gz |
MDEV-29555 ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_full_crc32
recv_scan_log(): Do not dereference the first byte of the log record
before recv_sys.parse_pmem() (or recv_sys_t::parse_mtr()) returns OK.
In the case of the failure that was analyzed, we had
recv_sys.offset == recv_sys.len and recv_sys_t::parse_mtr() would return
PREMATURE_EOF. This would lead us to reading more data and parsing again.
When a memory-mapped interface to the log is being used, that is,
log_sys.is_pmem() holds, recv_sys.offset cannot point past the
end of the memory-mapped log_sys.buf[]. This is guaranteed by
log_sys.calc_lsn_offset().
Thanks to Nayuta Yanagisawa for providing a core dump for analysis.
Diffstat (limited to 'mysql-test/suite/engines/funcs/r/rpl_do_grant.result')
0 files changed, 0 insertions, 0 deletions