List:Commits« Previous MessageNext Message »
From:Alexander Barkov Date:November 10 2010 12:21pm
Subject:bzr commit into mysql-5.1-bugteam branch (bar:3503) Bug#57257 Bug#57820
View as plain text  
#At file:///home/bar/mysql-bzr/mysql-5.1-bugteam.b57820/ based on revid:dmitry.shulga@stripped

 3503 Alexander Barkov	2010-11-10
      Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
      Bug#57820 extractvalue crashes
      
      Problem: ExtractValue and Replace crashed in some cases
      due to invalid handling of empty and NULL arguments.
      
      Per file comments:
      
        @mysql-test/r/ctype_ujis.result
        @mysql-test/r/xml.result
        @mysql-test/t/ctype_ujis.test
        @mysql-test/t/xml.test
        Adding tests
      
        @sql/item_strfunc.cc
        Make sure Item_func_replace::val_str safely handles empty strings.
      
        @sql/item_xmlfunc.cc
        set null_value if nodeset_func returned NULL,
        which is possible when the second argument is an
        unset user variable.

    modified:
      mysql-test/r/ctype_ujis.result
      mysql-test/r/xml.result
      mysql-test/t/ctype_ujis.test
      mysql-test/t/xml.test
      sql/item_strfunc.cc
      sql/item_xmlfunc.cc
=== modified file 'mysql-test/r/ctype_ujis.result'
--- a/mysql-test/r/ctype_ujis.result	2008-02-20 18:49:26 +0000
+++ b/mysql-test/r/ctype_ujis.result	2010-11-10 12:17:10 +0000
@@ -2374,6 +2374,16 @@ hex(convert(_latin1 0xA4A2 using ujis))	
 DROP PROCEDURE sp1;
 DROP TABLE t1;
 DROP TABLE t2;
+#
+# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+#
+SET NAMES utf8;
+SELECT CONVERT(replace(export_set('a','a','a','','a'),'00','') USING ujis);
+CONVERT(replace(export_set('a','a','a','','a'),'00','') USING ujis)
+
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: 'a'
+Warning	1292	Truncated incorrect INTEGER value: 'a'
 set names default;
 set character_set_database=default;
 set character_set_server=default;

=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2009-07-10 23:12:13 +0000
+++ b/mysql-test/r/xml.result	2010-11-10 12:17:10 +0000
@@ -1093,4 +1093,17 @@ Warnings:
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 DROP TABLE t1;
+#
+# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+#
+SET NAMES utf8;
+SELECT replace(ExtractValue('1', '/a'),'ds','');
+replace(ExtractValue('1', '/a'),'ds','')
+
+#
+# Bug #57820 extractvalue crashes
+#
+SELECT avg(DISTINCT ExtractValue((''),('$@k')));
+avg(DISTINCT ExtractValue((''),('$@k')))
+NULL
 End of 5.1 tests

=== modified file 'mysql-test/t/ctype_ujis.test'
--- a/mysql-test/t/ctype_ujis.test	2008-02-20 18:49:26 +0000
+++ b/mysql-test/t/ctype_ujis.test	2010-11-10 12:17:10 +0000
@@ -1209,6 +1209,13 @@ DROP PROCEDURE sp1;
 DROP TABLE t1;
 DROP TABLE t2;
 
+--echo #
+--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+--echo #
+SET NAMES utf8;
+SELECT CONVERT(replace(export_set('a','a','a','','a'),'00','') USING ujis);
+
+
 set names default;
 set character_set_database=default;
 set character_set_server=default;

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2009-07-10 23:12:13 +0000
+++ b/mysql-test/t/xml.test	2010-11-10 12:17:10 +0000
@@ -617,4 +617,15 @@ FROM t1 ORDER BY t1.id;
 
 DROP TABLE t1;
 
+--echo #
+--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+--echo #
+SET NAMES utf8;
+SELECT replace(ExtractValue('1', '/a'),'ds','');
+
+--echo #
+--echo # Bug #57820 extractvalue crashes
+--echo #
+SELECT avg(DISTINCT ExtractValue((''),('$@k')));
+
 --echo End of 5.1 tests

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2010-05-03 16:14:39 +0000
+++ b/sql/item_strfunc.cc	2010-11-10 12:17:10 +0000
@@ -906,7 +906,12 @@ String *Item_func_replace::val_str(Strin
 redo:
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : strend;
     while (ptr < end)
     {
         if (*ptr == *search)

=== modified file 'sql/item_xmlfunc.cc'
--- a/sql/item_xmlfunc.cc	2009-11-06 19:34:25 +0000
+++ b/sql/item_xmlfunc.cc	2010-11-10 12:17:10 +0000
@@ -2790,12 +2790,12 @@ String *Item_func_xml_extractvalue::val_
   null_value= 0;
   if (!nodeset_func ||
       !(res= args[0]->val_str(str)) || 
-      !parse_xml(res, &pxml))
+      !parse_xml(res, &pxml) ||
+      !(res= nodeset_func->val_str(&tmp_value)))
   {
     null_value= 1;
     return 0;
   }
-  res= nodeset_func->val_str(&tmp_value);
   return res;  
 }
 


Attachment: [text/bzr-bundle] bzr/bar@mysql.com-20101110121710-7k31yfs4b4mc6qni.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (bar:3503) Bug#57257 Bug#57820Alexander Barkov10 Nov