MDEV-35665 Potential Buffer Overrun in Gtid_log_event::write()

ParadoxV5 · ParadoxV5 · commit 8faae454e8a2 · 2025-01-21T09:47:07.000-07:00
Two-Phase ALTER added a sa_seq_no field, but `Gtid_log_event::write()`'s
size calculation doesn't have an addend in its name.

This patch resizes the buffer to match `write()`'s code.
diff --git a/sql/log_event_server.cc b/sql/log_event_server.cc
@@ -3729,7 +3729,12 @@ Gtid_log_event::peek(const uchar *event_start, size_t event_len,
 bool
 Gtid_log_event::write()
 {
-  uchar buf[GTID_HEADER_LEN+2+sizeof(XID) + /* flags_extra: */ 1+4];
+  uchar buf[GTID_HEADER_LEN+2
+    + sizeof(XID)
+    + 1 // flags_extra:
+    + 1 // extra_engines
+    + 8 // sa_seq_no
+  ];
   size_t write_len= 13;
 
   int8store(buf, seq_no);
