Bug #30790 Suspicious code in rpl_utility.cc
Submitted: 4 Sep 2007 14:27 Modified: 28 Nov 2007 20:12
Reporter: Rafal Somla
Status: Closed
Category:Server: Replication Severity:S3 (Non-critical)
Version:5.1.22 OS:Any
Assigned to: Chuck Bell Target Version:5.1.23

[4 Sep 2007 14:27] Rafal Somla 
Description:
Quotting from Antony Curtis:
----------------------------------------------------------------------------
on mysql-5.1-target-5.1.22 repository

New test fails on big-endian architectures: rpl_ndb_2other

Debug build failure caused by assertion.
Release build failure caused by fatal buffer overflow and widespread memory corruption.

Analysis:

There are many areas of dubious code, for example in rpl_utility.cc

    length= m_field_metadata[col] & 0x00ff;
    DBUG_ASSERT(length > 0);
    if (length > 255)
    {

How will that if statement ever evaluate to true?

Other areas, have ushort values sign extended and stored in uint which will result in
values of 32768-64436 resulting in very large integer values.
---------------------------------------------------------------------------

The code fragment above comes from table_def::calc_field_size() which was modified by
WL#3228.

An issue to consider is how this code handles different byte orders (e.g. big-endian on
solaris). This is a more general problem of how to handle different byte orders in
replication. See related BUG#29549.

How to repeat:
See code in rpl_utility.cc
[5 Sep 2007 18:42] Chuck Bell 
Minor change made in code to allow MYSQL_TYPE_STRING to have values > 255. However,
currently MYSQL_TYPE_STRING fields such as CHAR and BINARY are limited to 255. This code
was added for future enhancements should these fields be extended. A similar construct is
included in field.cc.

Added comments to clarify use of variable types.
[10 Sep 2007 16:26] Antony Curtis 
Cset email found: 

http://lists.mysql.com/commits/33924
[10 Sep 2007 23:24] Antony Curtis 
Reviewed and approve patch: http://lists.mysql.com/commits/34014
[11 Sep 2007 17:49] Rafal Somla 
Good to push.
[27 Nov 2007 11:51] Bugs System 
Pushed into 5.1.23-rc
[27 Nov 2007 11:53] Bugs System 
Pushed into 6.0.4-alpha
[28 Nov 2007 20:12] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of
that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version,
including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.1.23 and 6.0.4 changelogs. See Bug #29549 for synopsis.