MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Alexander Barkov Date:November 18 2010 1:12pm
Subject:bzr commit into mysql-5.1-bugteam branch (bar:3509) Bug#57279
View as plain text  
#At file:///home/bar/mysql-bzr/mysql-5.1-bugteam.b57279/ based on revid:davi.arnaut@stripped

 3509 Alexander Barkov	2010-11-18
      Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
      
      Problem: crash in Item_float constructor on DBUG_ASSERT due
      to not null-terminated string parameter.
      
      Fix: making Item_float::Item_float non-null-termintated parameter safe:
      - Using temporary buffer when generating error
      
      modified:
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        @ sql/item.cc

    modified:
      mysql-test/r/xml.result
      mysql-test/t/xml.test
      sql/item.cc
=== modified file 'mysql-test/r/xml.result'
--- a/mysql-test/r/xml.result	2009-07-10 23:12:13 +0000
+++ b/mysql-test/r/xml.result	2010-11-18 13:11:18 +0000
@@ -1093,4 +1093,11 @@ Warnings:
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 DROP TABLE t1;
+#
+# Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
+#
+SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
+ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
+ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 End of 5.1 tests

=== modified file 'mysql-test/t/xml.test'
--- a/mysql-test/t/xml.test	2009-07-10 23:12:13 +0000
+++ b/mysql-test/t/xml.test	2010-11-18 13:11:18 +0000
@@ -617,4 +617,14 @@ FROM t1 ORDER BY t1.id;
 
 DROP TABLE t1;
 
+--echo #
+--echo # Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
+--echo #
+
+--error ER_ILLEGAL_VALUE_FOR_TYPE
+SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
+--error ER_ILLEGAL_VALUE_FOR_TYPE
+SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
+
+
 --echo End of 5.1 tests

=== modified file 'sql/item.cc'
--- a/sql/item.cc	2010-09-13 07:18:35 +0000
+++ b/sql/item.cc	2010-11-18 13:11:18 +0000
@@ -5286,8 +5286,17 @@ static uint nr_of_decimals(const char *s
 
 
 /**
-  This function is only called during parsing. We will signal an error if
-  value is not a true double value (overflow)
+  This function is only called during parsing:
+  - when parsing SQL query from sql_yacc.yy
+  - when parsing XPath query from item_xmlfunc.cc
+  We will signal an error if value is not a true double value (overflow):
+  eng: Illegal %s '%-.192s' value found during parsing
+  
+  Note: the string is NOT null terminated when called from item_xmlfunc.cc,
+  so this->name will contain some SQL query tail behind the "length" bytes.
+  This is Ok for now, as this Item is never seen in SHOW,
+  or EXPLAIN, or anywhere else in metadata.
+  Item->name should be fixed to use LEX_STRING eventually.
 */
 
 Item_float::Item_float(const char *str_arg, uint length)
@@ -5298,12 +5307,9 @@ Item_float::Item_float(const char *str_a
                     &error);
   if (error)
   {
-    /*
-      Note that we depend on that str_arg is null terminated, which is true
-      when we are in the parser
-    */
-    DBUG_ASSERT(str_arg[length] == 0);
-    my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", (char*) str_arg);
+    char tmp[NAME_LEN + 1];
+    my_snprintf(tmp, sizeof(tmp), "%.*s", length, str_arg);
+    my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", tmp);
   }
   presentation= name=(char*) str_arg;
   decimals=(uint8) nr_of_decimals(str_arg, str_arg+length);


Attachment: [text/bzr-bundle] bzr/bar@mysql.com-20101118131118-b3qsldgpkixci5yd.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (bar:3509) Bug#57279Alexander Barkov18 Nov