From f2806b123d5ba432c13d47cf5479c82f35f0f0ae Mon Sep 17 00:00:00 2001
From: O2 <ikenchina@gmail.com>
Date: Tue, 29 Dec 2020 15:16:50 +0800
Subject: [PATCH] =?UTF-8?q?bugfix=EF=BC=9A=20binlog=20reader=20maybe=20cor?=
 =?UTF-8?q?rupt=20memory=20when=20length=20is=20exceeeded=20(#988)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/pika_binlog_reader.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/pika_binlog_reader.cc b/src/pika_binlog_reader.cc
index 07e1a3b6..4b4255f0 100644
--- a/src/pika_binlog_reader.cc
+++ b/src/pika_binlog_reader.cc
@@ -117,6 +117,9 @@ bool PikaBinlogReader::GetNext(uint64_t* size) {
     const unsigned int type = header[7];
     const uint32_t length = a | (b << 8) | (c << 16);
 
+    if (length > (kBlockSize - kHeaderSize))
+      return true;
+
     if (type == kFullType) {
       s = queue_->Read(length, &buffer_, backing_store_);
       offset += kHeaderSize + length;
@@ -166,6 +169,10 @@ unsigned int PikaBinlogReader::ReadPhysicalRecord(slash::Slice *result, uint32_t
   const uint32_t c = static_cast<uint32_t>(header[2]) & 0xff;
   const unsigned int type = header[7];
   const uint32_t length = a | (b << 8) | (c << 16);
+
+  if (length > (kBlockSize - kHeaderSize))
+    return kBadRecord;
+
   if (type == kZeroType || length == 0) {
     buffer_.clear();
     return kOldRecord;
-- 
GitLab