From: Alexander&nbsp;Barkov
Date: January 18 2011 6:40am
Subject: bzr commit into mysql-5.1 branch (alexander.barkov:3559) Bug#44332
List-Archive: http://lists.mysql.com/commits/129017
X-Bug: 44332
Message-Id: <201101180640.p0I6eCvs002145@bar.myoffice.izhnet.ru>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4710209666312982474=="

--===============4710209666312982474==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#At file:///home/bar/mysql-bzr/mysql-5.1.b44332/ based on revid:vinay.fisrekar@stripped

 3559 Alexander Barkov	2011-01-18
      Bug#44332 my_xml_scan reads behind the end of buffer
      
      Problem: the scanner function tested for strings "<![CDATA[" and
      "-->" without checking input string boundaries, which led to valgrind's
      "Conditional jump or move depends on uninitialised value(s)" error.
      
      Fix: Adding boundary checking.
      
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        Adding test
      
        @ strings/xml.c
        Adding a helper function my_xml_parser_prefix_cmp(),
        with input string boundary check.

    modified:
      mysql-test/r/xml.result
      mysql-test/t/xml.test
      strings/xml.c
=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2010-11-22 09:21:10 +0000
+++ b/mysql-test/r/xml.result	2011-01-18 06:38:41 +0000
@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+#
+# Bug #44332 	my_xml_scan reads behind the end of buffer
+#
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1')
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)'
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
+NULL
 End of 5.1 tests

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2010-11-22 09:21:10 +0000
+++ b/mysql-test/t/xml.test	2011-01-18 06:38:41 +0000
@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15,
 --error ER_ILLEGAL_VALUE_FOR_TYPE
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 
+--echo #
+--echo # Bug #44332 	my_xml_scan reads behind the end of buffer
+--echo #
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 
 --echo End of 5.1 tests

=== modified file 'strings/xml.c'
--- a/strings/xml.c	2010-07-02 18:30:47 +0000
+++ b/strings/xml.c	2011-01-18 06:38:41 +0000
@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR
 }
 
 
+static inline my_bool
+my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
+{
+  return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
+}
+
+
 static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
 {
   int lex;
@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,
   a->beg=p->cur;
   a->end=p->cur;
   
-  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
+  if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
   {
-    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
-    {}
-    if (!memcmp(p->cur, "-->", 3))
-      p->cur+=3;
+    for (; p->cur < p->end; p->cur++)
+    {
+      if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
+      {
+        p->cur+= 3;
+        break;
+      }
+    }
     a->end=p->cur;
     lex=MY_XML_COMMENT;
   }
-  else if (!memcmp(p->cur, "<![CDATA[",9))
+  else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
   {
     p->cur+= 9;
     for (; p->cur < p->end - 2 ; p->cur++)


--===============4710209666312982474==
MIME-Version: 1.0
Content-Type: text/bzr-bundle; charset="us-ascii";
 name="bzr/alexander.barkov@stripped"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: alexander.barkov@stripped\
#   4hryslwcfpyrp606
# target_branch: file:///home/bar/mysql-bzr/mysql-5.1.b44332/
# testament_sha1: 6e98caec0fb3fc13313ddf72739b2026d037ab33
# timestamp: 2011-01-18 09:40:12 +0300
# base_revision_id: vinay.fisrekar@stripped\
#   lictvi6f81lzg7nj
# 
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWSzhP4MAA7JfgFQweP///3/n
3+i////+YAhJzu23wenSzXvtz5S9lmgMtADhJRNNSehoDUYT1MGibSPUygxNGIyeSB6m1AxBKI1C
p6NtNNKb0p6p6ntSe1QNPUxAAYgAaDTQAZJCeAhJ6mmj0mQNGgADQAAAAAGIkxESNPZJtNTao9Ty
mRkyGgA0MAgMTEBlJAeoAABoABoAAAAAAAEkSZGiMCnkAk8jUp+Q1T9Uep6anqemSA0AB6aQdCB3
XWkC9Le5ni/Dfy6t+JkBMzbj1/xpMzNvRebaY21aZsbmGy+HQ0+re5zxJ179bhYZVDjZhQIGnTWb
Wya31UQosofR9qaowxAqFAKkAu1JvGi75o6+PP6WN9MU4kVVVQpCj8g61ueNXiYRQtuYTUYJtdxd
jtkN6NTzNDib97r1bgMihnGgw4gNIOPNlnWXOY0dqVWXUQFKN/THAP1KMb0PbPSP85lqvhFJgam/
WAbHFBhvwNUgFuhOCCkDKMVrAaVKyV3eLkdpwx2KfNbF1Ki/x7n893kumSKy3RCuWoYOuNvrsaRK
xUwgCVAII34qbEkt/QAY2gFgWxI8x2GzAtnBkCiiZEBfTbyhmvwJMcw21grAW8t0AyACnlYMoMgd
gVS4sJjD+gHAIoyERWS2a67l005GTq6apyqe2i03m33C6v7vXPP9LRSJhewy6JGtQA7eajRFZepN
sm9KQVrIfMUMnAKCCSYZaE2cvIklJEAzelBTEQ8aUfYSKjT5BNpKo8yQxTOMNQ7BJgixkCyFMRP4
90yxMkvdElM2/v3HZCiRNJOfQceAVjwQpU0EAvHOAa3pwtpypMt9QVF4zWk0HPkw7KNSexkxUmyC
Vdg1ahorBIkididR/TxGFURGNvavx2kMtg4wzXLvEiZ2GBv1GJQDmswdKDm/tOV+uT5lky8sNbwM
NjixsJk9XL6xyLHOJcMjMqzZERUBQBiQsBUjZ2ONIQTOM6JhnlMS58GBwJJyLlhXnzfWdeFpj0us
QwjTVdQM1eBeDFB81jvvWJM4s2+qeCzxfE5F1ZQGpWmwhbAx5CKyMKdWQ5qKSUTNDZwFB0Ct4XWH
uy3QLjK4V2r0TJ+yBtgRDXmZqDRTNUZVZElMQuIqNEqNA8QUuFlrsLa80kLsbc9mtO0W5dK22sM2
464Upax+9gWsqDGFxnJEonRXl91pdwFUQghQVgO/fRERuoIlzX4lJG2q8o3Ckzv0jyUSmEdeGqsU
vFtNuwkQpMTKGENi6NsK0MOFJ7FRqMRFiEhQ0AJAxknO7sYmA891uTaKCKlUCvOfh2hAWKSVxTcK
YZMFAUMUZiQ1WPWwALYZHKuQqqiqr+ZRuMmIwMlvl5jOJteYOcFSp3QJAT/d1aCCiL+K0+i+2w/4
lgH4r8CH1AziH1EXF4tWYq6xYSqwX4OKAYSFSqgeApAWLFVlXYMwGkBU04dUFBZiNZ/lJXX4Xl4d
CJ5lgQXxZkZUO6e5ygE9kQEnUPAoOiLnOzUUiA97z07RpRp+BskSI7YVyr9RREUdnvLAZWf19/3j
G+lTN+afdxBQ/k5w0+a0QcPf4JGvqIRQnp21mFi0LZbpYhqjrnCVGj60xAomMfrhSNY0uBMWVvn0
Hnj7IVi82qp0B5MAyQcbCsaMJoJOsD1FQeRuNCJ/ZzwEeJdzbIOK5NBh0jajrmgGWU5BCUz0kPAo
FDAwbWOrbW9lMiPNEhg5NgY1u73K8PsvBWaugMqdLCm0sTyh1+hSciY6CHBCJbZzjMpXpnCZ5akW
BrmyEhEbcJTsUKZQOYuZttVRPknCQz4jAwuqGSrI7i/TVarMekYSEc3pcqxLPfsuK9FdyLGgZ8rA
6JkPxTUWuC4bdyOTWFOBbJAzWJFhaC3GuKUqV3KIu65w5me0mLYtkjfPeTKIk70uBaGi9S4lcU6i
Rj4OWFT5BFZsBM+qMExnNiW8XsDBY5yLFWVh1JHb6RrDgN1AaAYOsJHhoqF3lNczYIs3CKKpDpux
rXuwWPsS9z+Eqv+9h4B4negiUMK1WqrkK0wvsiNFmdQJq7pvq1Ggms1itW4stv7T/UkVhP2+LE1q
N2Ow5LWdIqgt4CkdNoLmWF/Oy5awYYDWiJ0GDQy0iHpKQK7xQV6QwsrrF53AuijpA4YWjBiYRMrB
D7vFflyAK22J5K3tyIGnU8wROnDYKmYeGRwKTP5J/5lLn0N5ljlfamHGvBqBMioxcx44hpGACQKc
uAZPANr0OQaZh3sKnAMJTIgi6IR3htXbZvpHdPoGC3KCBgFCJ39mGmkRwszNokahQUvCCZarTlWn
vBegDyX/mtPg7lHpQcDAQ7AxMRu0IpBKZuKe3ezmQuR5yaNFdtkpEojJLfXAl5FvkcTAq7FkaXEI
MNBoLB6Ej5MopkQQGJ2+zRPx2oxU0H2BKrycLDXLLRDgrVe6oPvjLXafaInWTEzuMtojnZD84d3W
+cjQm93f8NmGKrrx77z1wRtO9lUrSInU+dyOyC2CPuXazMzOlUrl1ZHwGXa3G4VavagPYFFp5mzR
p+T9IW5wJRYYhQ5kx76aYqj2CZNN4WXdQwNZBJpip7KAazg78MRxayjiSVNQrVJ0PNkeJVpJcj10
H5jzPRiQ9S+azOpO8OrA5ksiGd6N0dCiQulAJ1SPor+J5VVretot0jYWHf5luoRw1vBZlhmSI6bu
ApAsTIc5+mkd3HdzuAoA9AUptaD2nARARBLlHQ1ouXMavpxMKfj8fH+YOZv+LuSKcKEgWcJ/Bg==


--===============4710209666312982474==--