Bug #78304 Wrong variable type on Transaction_context_log_event::write_snapshot_version()
Submitted: 2 Sep 2015 11:24 Modified: 14 Sep 2015 15:47
Reporter: Nuno Carvalho Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.7.6 OS:Any
Assigned to: CPU Architecture:Any

[2 Sep 2015 11:24] Nuno Carvalho 
Description:
On the method Transaction_context_log_event::write_snapshot_version() we have the variable len defined as uint16, which is incorrect because length of snapshot_version is defined as a 4 bytes variable:
  bool Transaction_context_log_event::write_snapshot_version(IO_CACHE* file) 
  {
    DBUG_ENTER("Transaction_context_log_event::write_snapshot_version");
    bool result= false;

    uint16 len= get_snapshot_version_size();

snapshot_version length definition at libbinlogevents/include/control_events.h
  uint32_t encoded_snapshot_version_length;

  // 4 bytes length
  static const int ENCODED_SNAPSHOT_VERSION_LEN_OFFSET= 10;
  // 2 bytes length.
  static const int ENCODED_WRITE_SET_ITEMS_OFFSET= 14;

This wrong type of len can cause its value to overflow when more than 2 bytes are used.

How to repeat:
See the code.

Suggested fix:
   DBUG_ENTER("Transaction_context_log_event::write_snapshot_version");
   bool result= false;
 
-  uint16 len= get_snapshot_version_size();
+  uint32 len= get_snapshot_version_size();
   uchar *buffer= (uchar *) my_malloc(key_memory_log_event,
                                      len, MYF(MY_WME));
[14 Sep 2015 15:47] Jon Stephens 
Code change only, no user-visible changes to document.

Closed.