From ca5637106f6488cb635c92d0b8a03f60c9d188d7 Mon Sep 17 00:00:00 2001
From: Abhinav Sharma <abhinavsharma@fb.com>
Date: Thu, 27 May 2021 20:02:12 -0700
Subject: [PATCH] Fix heap overflow in group_relay_log_name handling

Summary:
We were accessing group_relay_log_name in
Query_log_event::do_apply_event_worker() but it's assigned only after
the coordinator thread encounters an end event (i.e. xid event or a
query event with "COMMIT" or "ROLLBACK" query). This was causing a race
between accessing group_relay_log_name in the worker thread and writing
it on the coordinator thread. We don't need to set transaction position
in events other than end event, so now we set transaction position in
query event only if it's an end event. The race is eliminated because
group_relay_log_name is set before enqueuing the event to the worker
thread (in both dep repl and vanilla mts).

Reviewed By: lth

Differential Revision: D28767430
---
 sql/log_event.cc | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/sql/log_event.cc b/sql/log_event.cc
index d204bd1dccb2..906694a6f20e 100644
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -4676,15 +4676,17 @@ int Query_log_event::do_apply_event(Relay_log_info const *rli) {
 }
 
 int Query_log_event::do_apply_event_worker(Slave_worker *w) {
-  // Note: We're using event's future_event_relay_log_pos instead of
-  // rli->get_event_relay_log_pos() because rli is only updated in
-  // do_update_pos() which is called after applying the event and we might need
-  // to use this pos during application (e.g. during commit)
-  Slave_job_group *ptr_g = w->c_rli->gaq->get_job_group(mts_group_idx);
-  thd->set_trans_relay_log_pos(ptr_g->group_relay_log_name
-                                   ? ptr_g->group_relay_log_name
-                                   : w->get_group_relay_log_name(),
-                               future_event_relay_log_pos);
+  if (ends_group()) {
+    // Note: We're using event's future_event_relay_log_pos instead of
+    // rli->get_event_relay_log_pos() because rli is only updated in
+    // do_update_pos() which is called after applying the event and we might
+    // need to use this pos during application (e.g. during commit)
+    Slave_job_group *ptr_g = w->c_rli->gaq->get_job_group(mts_group_idx);
+    thd->set_trans_relay_log_pos(ptr_g->group_relay_log_name
+                                     ? ptr_g->group_relay_log_name
+                                     : w->get_group_relay_log_name(),
+                                 future_event_relay_log_pos);
+  }
   return do_apply_event(w, query, q_len);
 }