From: Alexander Barkov
Date: March 1 2011 2:39pm
Subject: bzr push into mysql-5.1 branch (alexander.barkov:3604 to 3605) Bug#44332
 Bug#59901 Bug#11766725
List-Archive: http://lists.mysql.com/commits/132210
X-Bug: 44332,59901,11766725
Message-Id: <201103011439.p21EdO9O002701@bar.myoffice.izhnet.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 3605 Alexander Barkov	2011-03-01
      Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
      
      Problem: a byte behind the end of input string was read
      in case of a broken XML not having a quote or doublequote
      character closing a string value.
      
      Fix: changing condition not to read behind the end of input string
      
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        Adding tests
      
        @ strings/xml.c
        When checking if the closing quote/doublequote was found,
        using p->cur[0] us unsafe, as p->cur can point to the byte after the value.
        Comparing p->cur to p->beg instead.

    modified:
      mysql-test/r/xml.result
      mysql-test/t/xml.test
      strings/xml.c
 3604 hery.ramilison@stripped	2011-02-22 [merge]
      Null-merge from mysql-5.1.52sp1-release

=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2011-01-18 06:38:41 +0000
+++ b/mysql-test/r/xml.result	2011-03-01 12:30:18 +0000
@@ -1124,4 +1124,12 @@ Warning	1525	Incorrect XML value: 'parse
 SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
 NULL
+#
+# Bug#11766725 (bug#59901): EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
+#
+SELECT ExtractValue(CONVERT('<\"', BINARY(10)), 1);
+ExtractValue(CONVERT('<\"', BINARY(10)), 1)
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 11: STRING unexpected (ident or '/' wanted)'
 End of 5.1 tests

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2011-01-18 06:38:41 +0000
+++ b/mysql-test/t/xml.test	2011-03-01 12:30:18 +0000
@@ -646,4 +646,9 @@ SELECT EXTRACTVALUE('', LPAD(0.1111E-15,
 SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
 SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 
+--echo #
+--echo # Bug#11766725 (bug#59901): EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
+--echo #
+SELECT ExtractValue(CONVERT('<\"', BINARY(10)), 1);
+
 --echo End of 5.1 tests

=== modified file 'strings/xml.c'
--- a/strings/xml.c	2011-01-19 13:17:52 +0000
+++ b/strings/xml.c	2011-03-01 12:30:18 +0000
@@ -165,11 +165,16 @@ static int my_xml_scan(MY_XML_PARSER *p,
   }
   else if ( (p->cur[0] == '"') || (p->cur[0] == '\'') )
   {
+    /*
+      "string" or 'string' found.
+      Scan until the closing quote/doublequote, or until the END-OF-INPUT.
+    */
     p->cur++;
     for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++)
     {}
     a->end=p->cur;
-    if (a->beg[0] == p->cur[0])p->cur++;
+    if (p->cur < p->end) /* Closing quote or doublequote has been found */
+      p->cur++;
     a->beg++;
     if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION))
       my_xml_norm_text(a);

No bundle (reason: useless for push emails).