Bug #30790 Suspicious code in rpl_utility.cc
Submitted: 4 Sep 2007 12:27 Modified: 28 Nov 2007 19:12
Reporter: Rafal Somla Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.1.22 OS:Any
Assigned to: Chuck Bell CPU Architecture:Any

[4 Sep 2007 12:27] Rafal Somla 
Description:
Quotting from Antony Curtis:
----------------------------------------------------------------------------
on mysql-5.1-target-5.1.22 repository

New test fails on big-endian architectures: rpl_ndb_2other

Debug build failure caused by assertion.
Release build failure caused by fatal buffer overflow and widespread memory corruption.

Analysis:

There are many areas of dubious code, for example in rpl_utility.cc

    length= m_field_metadata[col] & 0x00ff;
    DBUG_ASSERT(length > 0);
    if (length > 255)
    {

How will that if statement ever evaluate to true?

Other areas, have ushort values sign extended and stored in uint which will result in values of 32768-64436 resulting in very large integer values.
---------------------------------------------------------------------------

The code fragment above comes from table_def::calc_field_size() which was modified by WL#3228.

An issue to consider is how this code handles different byte orders (e.g. big-endian on solaris). This is a more general problem of how to handle different byte orders in replication. See related BUG#29549.

How to repeat:
See code in rpl_utility.cc
[5 Sep 2007 16:42] Chuck Bell 
Minor change made in code to allow MYSQL_TYPE_STRING to have values > 255. However, currently MYSQL_TYPE_STRING fields such as CHAR and BINARY are limited to 255. This code was added for future enhancements should these fields be extended. A similar construct is included in field.cc.

Added comments to clarify use of variable types.
[10 Sep 2007 14:26] Antony Curtis 
Cset email found: 

http://lists.mysql.com/commits/33924
[10 Sep 2007 21:24] Antony Curtis 
Reviewed and approve patch: http://lists.mysql.com/commits/34014
[11 Sep 2007 15:49] Rafal Somla 
Good to push.
[27 Nov 2007 10:51] Bugs System 
Pushed into 5.1.23-rc
[27 Nov 2007 10:53] Bugs System 
Pushed into 6.0.4-alpha
[28 Nov 2007 19:12] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.1.23 and 6.0.4 changelogs. See Bug #29549 for synopsis.