Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.8.1, 10.9.0, 10.10.0
Description
nayuta-yanagisawa reported that the test mariabackup.huge_lsn,strict_full_crc32 would occasionally trigger AddressSanitizer heap-buffer-overflow on his system.
The following patch fixes it:
diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
|
index 0b6ddce30ce..37a4e722767 100644
|
--- a/storage/innobase/log/log0recv.cc
|
+++ b/storage/innobase/log/log0recv.cc
|
@@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)
|
|
for (;;)
|
{
|
- const byte b{log_sys.buf[recv_sys.offset]};
|
+ const byte& b{log_sys.buf[recv_sys.offset]};
|
r= recv_sys.parse_pmem(store);
|
if (r == recv_sys_t::OK)
|
{ |
In this test, some Perl code generates always the same log file that would wrap around at the end of the file. The recv_sys.offset will be equal to recv_sys.len, that is, b is pointing just past the end of log_sys.buf. We are actually only interested in the value of the byte (the first byte of the parsed record) at that offset if r == recv_sys_t::OK, which indicates that the entire mini-transaction was present in the buffer.
I do not think that this bug has much practical impact outside AddressSanitizer.
Attachments
Issue Links
- is caused by
-
MDEV-14425 Change the InnoDB redo log format to reduce write amplification
- Closed