Bug #25111907: XML TEST FAILS WITH UNDEFINED BEHAVIOR

The XML parser position stack for each level is with a fixed depth. So a bounds check was done to ensure that this depth is not exceeded. But it was off by one (i.e. the size of the array was a valid index). Fixed by decreasing the allowable depth by one to match the maximum number of elements in the position stack.

Bug #25111907: XML TEST FAILS WITH UNDEFINED BEHAVIOR
The XML parser position stack for each level is with a fixed depth. So a bounds check was done to ensure that this depth is not exceeded. But it was off by one (i.e. the size of the array was a valid index). Fixed by decreasing the allowable depth by one to match the maximum number of elements in the position stack.
dafbdc78 · Georgi Kodinov · 67226995 · dafbdc78
Commit dafbdc78 authored Dec 05, 2016 by Georgi Kodinov
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

sql/item_xmlfunc.cc sql/item_xmlfunc.cc +3 -3

No files found.
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
-/* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -2695,9 +2695,9 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)

  node.parent= data->parent; // Set parent for the new node to old parent
  data->parent= numnodes;    // Remember current node as new parent
-  DBUG_ASSERT(data->level <= MAX_LEVEL);
+  DBUG_ASSERT(data->level < MAX_LEVEL);
  data->pos[data->level]= numnodes;
-  if (data->level < MAX_LEVEL)
+  if (data->level < MAX_LEVEL - 1)
    node.level= data->level++;
  else
    return MY_XML_ERROR;