List:Commits« Previous MessageNext Message »
From:Alexander Barkov Date:January 17 2011 2:48pm
Subject:bzr commit into mysql-5.1 branch (alexander.barkov:3558) Bug#44332
View as plain text  
#At file:///home/bar/mysql-bzr/mysql-5.1.b44332/ based on revid:alexander.barkov@stripped

 3558 Alexander Barkov	2011-01-17
      Bug#44332 my_xml_scan reads behind the end of buffer
      
      Problem: the scanner function tested for strings "<![CDATA[" and
      "<--" without checking input string boundaries, which led to valgrind's
      "Conditional jump or move depends on uninitialised value(s)" error.
      
      Fix: Adding boundary checking.
      
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        Adding test
      
        @ strings/xml.c
        Adding a helper function my_xml_parser_prefix_cmp(),
        with input string boundary check.

    modified:
      mysql-test/r/xml.result
      mysql-test/t/xml.test
      strings/xml.c
=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2010-11-22 09:21:10 +0000
+++ b/mysql-test/r/xml.result	2011-01-17 14:24:28 +0000
@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+#
+# Bug #44332 	my_xml_scan reads behind the end of buffer
+#
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1')
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)'
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
+NULL
 End of 5.1 tests

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2010-11-22 09:21:10 +0000
+++ b/mysql-test/t/xml.test	2011-01-17 14:24:28 +0000
@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 --error ER_ILLEGAL_VALUE_FOR_TYPE
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 
+--echo #
+--echo # Bug #44332 	my_xml_scan reads behind the end of buffer
+--echo #
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 
 --echo End of 5.1 tests

=== modified file 'strings/xml.c'
--- a/strings/xml.c	2010-07-02 18:30:47 +0000
+++ b/strings/xml.c	2011-01-17 14:24:28 +0000
@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR
 }
 
 
+static inline my_bool
+my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
+{
+  return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
+}
+
+
 static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
 {
   int lex;
@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,
   a->beg=p->cur;
   a->end=p->cur;
   
-  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
+  if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
   {
-    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
-    {}
-    if (!memcmp(p->cur, "-->", 3))
-      p->cur+=3;
+    for (; p->cur < p->end; p->cur++)
+    {
+      if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
+      {
+        p->cur+= 3;
+        break;
+      }
+    }
     a->end=p->cur;
     lex=MY_XML_COMMENT;
   }
-  else if (!memcmp(p->cur, "<![CDATA[",9))
+  else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
   {
     p->cur+= 9;
     for (; p->cur < p->end - 2 ; p->cur++)


Attachment: [text/bzr-bundle] bzr/alexander.barkov@oracle.com-20110117142428-2lxj9eqean9ya7zn.bundle
Thread
bzr commit into mysql-5.1 branch (alexander.barkov:3558) Bug#44332Alexander Barkov17 Jan