Below is the list of changes that have just been committed into a local
5.1 repository of bar. When bar does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
ChangeSet@stripped, 2007-05-23 12:34:47+05:00, bar@stripped +3 -0
Bug#28558 UpdateXML called with garbage crashes server
Problem: Memory overrun happened in attempts to generate
error messages (e.g. in case of incorrect XPath syntax).
Reason: set_if_bigger() was used instead of set_if_smaller().
Change: replacing wrong set_if_bigger() to set_if_smaller(),
and making minor additional code clean-ups.
mysql-test/r/xml.result@stripped, 2007-05-23 12:34:44+05:00, bar@stripped +6 -0
Adding test cases for all pieces of code with
set_if_smaller() followed by my_printf_error().
mysql-test/t/xml.test@stripped, 2007-05-23 12:34:44+05:00, bar@stripped +10 -0
Adding test cases for all pieces of code with
set_if_smaller() followed by my_printf_error().
sql/item_xmlfunc.cc@stripped, 2007-05-23 12:34:44+05:00, bar@stripped +5 -7
- fixing incorrect set_if_bigger to set_if_smaller in two places
- getting read of unnesessary "char context[32]" variable and
using '%.*s' instead if '%s' in the error format.
# This is a BitKeeper patch. What follows are the unified diffs for the
# set of deltas contained in the patch. The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User: bar
# Host: bar.myoffice.izhnet.ru
# Root: /home/bar/mysql-5.1.b28558
--- 1.23/mysql-test/r/xml.result 2007-05-08 13:35:59 +05:00
+++ 1.24/mysql-test/r/xml.result 2007-05-23 12:34:44 +05:00
@@ -1006,3 +1006,9 @@
Warning 1292 Truncated incorrect INTEGER value: 'string '
Warning 1292 Truncated incorrect INTEGER value: 'string '
DROP PROCEDURE spxml;
+select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
+ERROR HY000: XPATH syntax error: 'b a b a b a b a b a b a b a b a '
+select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
+ERROR HY000: XPATH error: comparison of two nodesets is not supported: '=@y0123456789_0123456789_0123456'
+select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
+ERROR HY000: Unknown XPATH variable at: '$y0123456789_0123456789_01234567'
--- 1.21/mysql-test/t/xml.test 2007-05-08 13:35:59 +05:00
+++ 1.22/mysql-test/t/xml.test 2007-05-23 12:34:44 +05:00
@@ -523,3 +523,13 @@
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string and 1');
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string');
DROP PROCEDURE spxml;
+
+#
+# Bug#28558 UpdateXML called with garbage crashes server
+#
+--error 1105
+select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
+--error 1105
+select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
+--error 1105
+select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
--- 1.28/sql/item_xmlfunc.cc 2007-05-08 13:35:59 +05:00
+++ 1.29/sql/item_xmlfunc.cc 2007-05-23 12:34:44 +05:00
@@ -923,8 +923,8 @@
else if (a->type() == Item::XPATH_NODESET &&
b->type() == Item::XPATH_NODESET)
{
- uint len= context->end - context->beg;
- set_if_bigger(len, 32);
+ uint len= xpath->query.end - context->beg;
+ set_if_smaller(len, 32);
my_printf_error(ER_UNKNOWN_ERROR,
"XPATH error: "
"comparison of two nodesets is not supported: '%.*s'",
@@ -2591,12 +2591,10 @@
if (!rc)
{
- char context[32];
uint clen= xpath.query.end - xpath.lasttok.beg;
- set_if_bigger(clen, sizeof(context) - 1);
- strmake(context, xpath.lasttok.beg, clen);
- my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%s'",
- MYF(0), context);
+ set_if_smaller(clen, 32);
+ my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%.*s'",
+ MYF(0), clen, xpath.lasttok.beg);
return;
}
| Thread |
|---|
| • bk commit into 5.1 tree (bar:1.2580) BUG#28558 | bar | 23 May |
