From: Alexander&nbsp;Barkov
Date: January 17 2011 2:48pm
Subject: bzr commit into mysql-5.1 branch (alexander.barkov:3558) Bug#44332
List-Archive: http://lists.mysql.com/commits/128988
X-Bug: 44332
Message-Id: <201101171448.p0HEmqoO020502@bar.myoffice.izhnet.ru>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5640939758302270527=="

--===============5640939758302270527==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#At file:///home/bar/mysql-bzr/mysql-5.1.b44332/ based on revid:alexander.barkov@stripped

 3558 Alexander Barkov	2011-01-17
      Bug#44332 my_xml_scan reads behind the end of buffer
      
      Problem: the scanner function tested for strings "<![CDATA[" and
      "<--" without checking input string boundaries, which led to valgrind's
      "Conditional jump or move depends on uninitialised value(s)" error.
      
      Fix: Adding boundary checking.
      
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        Adding test
      
        @ strings/xml.c
        Adding a helper function my_xml_parser_prefix_cmp(),
        with input string boundary check.

    modified:
      mysql-test/r/xml.result
      mysql-test/t/xml.test
      strings/xml.c
=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2010-11-22 09:21:10 +0000
+++ b/mysql-test/r/xml.result	2011-01-17 14:24:28 +0000
@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+#
+# Bug #44332 	my_xml_scan reads behind the end of buffer
+#
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1')
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)'
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
+NULL
 End of 5.1 tests

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2010-11-22 09:21:10 +0000
+++ b/mysql-test/t/xml.test	2011-01-17 14:24:28 +0000
@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 --error ER_ILLEGAL_VALUE_FOR_TYPE
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 
+--echo #
+--echo # Bug #44332 	my_xml_scan reads behind the end of buffer
+--echo #
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 
 --echo End of 5.1 tests

=== modified file 'strings/xml.c'
--- a/strings/xml.c	2010-07-02 18:30:47 +0000
+++ b/strings/xml.c	2011-01-17 14:24:28 +0000
@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR
 }
 
 
+static inline my_bool
+my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
+{
+  return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
+}
+
+
 static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
 {
   int lex;
@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,
   a->beg=p->cur;
   a->end=p->cur;
   
-  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
+  if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
   {
-    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
-    {}
-    if (!memcmp(p->cur, "-->", 3))
-      p->cur+=3;
+    for (; p->cur < p->end; p->cur++)
+    {
+      if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
+      {
+        p->cur+= 3;
+        break;
+      }
+    }
     a->end=p->cur;
     lex=MY_XML_COMMENT;
   }
-  else if (!memcmp(p->cur, "<![CDATA[",9))
+  else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
   {
     p->cur+= 9;
     for (; p->cur < p->end - 2 ; p->cur++)


--===============5640939758302270527==
MIME-Version: 1.0
Content-Type: text/bzr-bundle; charset="us-ascii";
 name="bzr/alexander.barkov@stripped"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: alexander.barkov@stripped\
#   2lxj9eqean9ya7zn
# target_branch: file:///home/bar/mysql-bzr/mysql-5.1.b44332/
# testament_sha1: b1712236e2167a42f8aefd75fb8d98cef74d5ed9
# timestamp: 2011-01-17 17:48:52 +0300
# base_revision_id: alexander.barkov@stripped\
#   64dwqa4aiu382e7y
# 
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWdr6MvgAA7bfgFQweP///3/n
3+i////+YAgjrrfNAAGzL2ZVSgOsig8JJCIyMmkegaqf6Ayp5TPUKeo2mp6jR6jZTRtDIh6IJUoA
AANA0AADQGmgAAAABESaafqJ+qNDQAyAAAAPUAAAAAMRJppIAPUxpNANAA0AAAAAAHMJoDQGjRhG
gxGmJkxNBhGgZAMmAkiTTQJgENTEniECZpQemppskD01AA8REIgP4zuHr7cfk3jHrqt+/JIzyxvj
t7/8+RbZvlwfV2EdTS3udfIWf19IZtudznhyMZ55mGnsvDi6qIQV1zGG7K33Xop4sUUcfjzPx4tg
EowBeQFOtbTLT4J2ejX2wORa1xJmZkCkJvMGmxlRrZzCKFVTCSjBNacVU2JxdjWeRmcSfH/tFQZm
hsNyh3BYLJXov8aeq1F5s0uiZgkZafnHgPleUUaLtOO6/LDAioB4YjMK+qAWMRCaaRmGwBCXPhJI
4Cu/VEFQq2rh7RcsOjXNRLz8Yuxc1W/yj6s/LnN0mN3JkV2E9hNro5wrFV2hQBKgEEbeJRSklyZg
BjZALAtho9xuNbBfmKA6Zuyw72/VzMq/M0V0W2QpBKtU+UosB61IUws0Z/ANm5dpzD6AF4j1dV1K
70vx+OEy91e1t57Kys/CExOZvUKx3q9MkfXbGJSBiY2iTAatihiiXE9NkvvZJIKliO/rE1rgExBJ
MMtExOTEyK4BBpke0iTHvUmIrxPE+c45THSzYQYKGCtjIFiL7+6R8a06S+20vqNZanKE05SknMhx
4JVDwQp5TEAzWBAyC16MbqLpGe2gKBlgO1xtRGai0REhP1vpX8Yqjk8yE22nwONnElg16wMTPBa8
hxSOYx+W4ljm4wzdwkSMci4qLiAOjmXulBzXtONgi7OXI3VGBYUSJnENjvcUxQXWcn+s2ZWrKDPQ
RxMTC+T5OsjI0DINk49GyVCuGiFIe6mConpnN6jfAnwmLbCzv4YEed1CN9FML2ZkiUBGRaDET4LH
hqUmbNweVF6bPA5GyROFnJMbzdWozGFRB9bMysZoE0jhpeECqWXKwtL7MDSHCilVLr+c5QWz4Ed5
ZPNoydmuM2LCYv0KGLhtFj042lMtleSMM9tOOPmMulFlmLBtaZCYZ6bbu5riF6KDbu3mwqMJy4vU
4i/ZcX2CgIpKo40BMpRjG/b2VEjBsZFBNfXgRvJx6hyNN5fV5OHAkMYDBcWmVZmIn4HgI6Zb7/S2
3NasWhfJM9dTV2IgxCQmaAE4MZ1r3KWA2bNVWkUEU2sDptyGNmMykSer/rUmgWZhy0naJYPHpA6i
NWY5mGZkzP8GIewyCgEFR2eBhFJ+YeQMrzvoKcXzxSoIKIvktPmvvrP+pYB+S+hD6gaRD6iLi8Vm
gqqhYT0YL6OKAYTikqAeApwK1iqijMZgNsBVKYhgE/HId5/ypxL4Lz93UjhuWpBUK1HciHX2wTxR
tIBBWGYFc+oVb3hQbCBqMC6qfsgvLCmEzbIYhDuED8sITCwUd9S9xYDJ/7e7+oxwkqjhtVYiHDkk
pv5uct+iDj8fkJfL7iIonT4bGL8RfLKXQ2dbjQscnubmQVTNuiEtms7jQFhSv57z3l48fxjVv1cp
vWHmwG9/KxiN1DvflgZ8pweZiUOcqMBzxnweXFFjUhsVDPYcJZ0eXRAayokMS/4h4JhMepx7lrls
iiCG59HmSyHKb2x7OxWl/HfSWOu4NSg+CdHZKrx0RVdCp5k0HxaokBZzz2lneVnQ81fJqYQzMyw8
GXaX+pdVZMy9b5KwU9PALhFJsUFCqUyy5XvLLOGdqbTAhlptamNtuX0POKzHVk6iZ8rQ6pkP0EVp
42ukuG7ejk1hLAunQM1iRWXJLebIpTyXcoiPIbe/oNrSKcy7Cg1Lggy+JMGRdK1LKr6NtN0FwuZx
bFKMJm5/QZq2Ft0F/TSUh3E52cBqzUbmA0AvdXznn0Uy8hKqkq3CISism2Pbh6kv1v3Rl+eJ0DvO
iCJMwrFLgLUwuqiNFmdQKFb5NaKzQTV5i3lWy/ivA/3kisKvs87HrEWnDPU7VaWwLeIonTVJcysv
51XKwGGAtRE6DBuMtsQ8CQFV4oK8SYWV1a8bklNq5wv2DBgXxMW184jxxAKW2p51s7cSBp4HEEUy
v2ilSHlxOwkZ+9P/Qk58z0HMzyzwuTEQgPg0FEUREEUqUPjIaRnASBTlyTO8A0rUYEGtQHcScMJ5
EQRdEZew9HD0rlSXLkV79RBWRZL4YzdaSex3d9BKwUFHvemWGcrlTqElrAuX2ac63OIb0FQ/SyZH
l6URhWW6eHFo4G0yzbzdMjE6gvES3VTiM6pSuJ7ioxklCxNLiEGGg0Fg8wl72AcEYnH26J+u5FaD
7gjL7HCosnx2odJbFc6mPxjPZsKKSgTO4y7aX9gc+ttE5kcHt6e7lfgqqsOl56II3HVlQrSInVPk
uRnBfgtLMzN+iWJWsjsGWpq8QpFQ0AuhMdBmytJc7a+el5PFhiEzmLH2ylFTekTJqXhXd3hgbCCT
UilvmBq+DvwxHFsJuJOpUCtU7oelkeco28j1wR7DxPJiQ9C+C0O8puDvZzJZENM0ax2k04ukySdS
H2q/ieqjcLfMbSk7vEs7Kq4LMrMzVSJ9uvYKSSwMRycRz8KB3cd3OoEQO1FqDxEe1Dpdtm4tRgWy
ELS2geihFL5ESTT/i7kinChIbX0ZfAA=


--===============5640939758302270527==--