MDEV-29555 ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_f…

…ull_crc32 recv_scan_log(): Do not dereference the first byte of the log record before recv_sys.parse_pmem() (or recv_sys_t::parse_mtr()) returns OK. In the case of the failure that was analyzed, we had recv_sys.offset == recv_sys.len and recv_sys_t::parse_mtr() would return PREMATURE_EOF. This would lead us to reading more data and parsing again. When a memory-mapped interface to the log is being used, that is, log_sys.is_pmem() holds, recv_sys.offset cannot point past the end of the memory-mapped log_sys.buf[]. This is guaranteed by log_sys.calc_lsn_offset(). Thanks to Nayuta Yanagisawa for providing a core dump for analysis.
MariaDB · Sep 16, 2022 · 593fdee · 593fdee
1 parent d2cae17
commit 593fdee
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
@@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)
 
       for (;;)
       {
-        const byte b{log_sys.buf[recv_sys.offset]};
+        const byte& b{log_sys.buf[recv_sys.offset]};
         r= recv_sys.parse_pmem(store);
         if (r == recv_sys_t::OK)
         {