Commit 1da8ea2e authored by unknown's avatar unknown

Bug#28558 UpdateXML called with garbage crashes server

Problem: Memory overrun happened in attempts to generate
error messages (e.g. in case of incorrect XPath syntax).
Reason: set_if_bigger() was used instead of set_if_smaller().
Change: replacing wrong set_if_bigger() to set_if_smaller(),
and making minor additional code clean-ups.


mysql-test/r/xml.result:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
mysql-test/t/xml.test:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
sql/item_xmlfunc.cc:
  - fixing incorrect set_if_bigger to set_if_smaller in two places
  - getting read of unnesessary "char context[32]" variable and
    using '%.*s' instead if '%s' in the error format.
parent b626d5d7
...@@ -1006,3 +1006,9 @@ Warnings: ...@@ -1006,3 +1006,9 @@ Warnings:
Warning 1292 Truncated incorrect INTEGER value: 'string ' Warning 1292 Truncated incorrect INTEGER value: 'string '
Warning 1292 Truncated incorrect INTEGER value: 'string ' Warning 1292 Truncated incorrect INTEGER value: 'string '
DROP PROCEDURE spxml; DROP PROCEDURE spxml;
select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
ERROR HY000: XPATH syntax error: 'b a b a b a b a b a b a b a b a '
select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
ERROR HY000: XPATH error: comparison of two nodesets is not supported: '=@y0123456789_0123456789_0123456'
select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
ERROR HY000: Unknown XPATH variable at: '$y0123456789_0123456789_01234567'
...@@ -523,3 +523,13 @@ CALL spxml('<a><b>b1</b><b>b2</b></a>', '1 and string'); ...@@ -523,3 +523,13 @@ CALL spxml('<a><b>b1</b><b>b2</b></a>', '1 and string');
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string and 1'); CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string and 1');
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string'); CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string');
DROP PROCEDURE spxml; DROP PROCEDURE spxml;
#
# Bug#28558 UpdateXML called with garbage crashes server
#
--error 1105
select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
--error 1105
select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
--error 1105
select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
...@@ -923,8 +923,8 @@ static Item *create_comparator(MY_XPATH *xpath, ...@@ -923,8 +923,8 @@ static Item *create_comparator(MY_XPATH *xpath,
else if (a->type() == Item::XPATH_NODESET && else if (a->type() == Item::XPATH_NODESET &&
b->type() == Item::XPATH_NODESET) b->type() == Item::XPATH_NODESET)
{ {
uint len= context->end - context->beg; uint len= xpath->query.end - context->beg;
set_if_bigger(len, 32); set_if_smaller(len, 32);
my_printf_error(ER_UNKNOWN_ERROR, my_printf_error(ER_UNKNOWN_ERROR,
"XPATH error: " "XPATH error: "
"comparison of two nodesets is not supported: '%.*s'", "comparison of two nodesets is not supported: '%.*s'",
...@@ -2591,12 +2591,10 @@ void Item_xml_str_func::fix_length_and_dec() ...@@ -2591,12 +2591,10 @@ void Item_xml_str_func::fix_length_and_dec()
if (!rc) if (!rc)
{ {
char context[32];
uint clen= xpath.query.end - xpath.lasttok.beg; uint clen= xpath.query.end - xpath.lasttok.beg;
set_if_bigger(clen, sizeof(context) - 1); set_if_smaller(clen, 32);
strmake(context, xpath.lasttok.beg, clen); my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%.*s'",
my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%s'", MYF(0), clen, xpath.lasttok.beg);
MYF(0), context);
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment