Commit 0fa867fd authored by Ramil Kalimullin's avatar Ramil Kalimullin

Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.

Problem: tag's buffer overflow leads to a problem.
Fix: bound check added.


sql/item_xmlfunc.cc:
  Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.
  
    - XML tag/attribute level shouldn't exceed MAX_LEVEL as we use a
  static buffer to store them in the MY_XML_USER_DATA.
parent 117e2d1b
...@@ -2669,8 +2669,12 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len) ...@@ -2669,8 +2669,12 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)
node.parent= data->parent; // Set parent for the new node to old parent node.parent= data->parent; // Set parent for the new node to old parent
data->parent= numnodes; // Remember current node as new parent data->parent= numnodes; // Remember current node as new parent
DBUG_ASSERT(data->level <= MAX_LEVEL);
data->pos[data->level]= numnodes; data->pos[data->level]= numnodes;
if (data->level < MAX_LEVEL)
node.level= data->level++; node.level= data->level++;
else
return MY_XML_ERROR;
node.type= st->current_node_type; // TAG or ATTR node.type= st->current_node_type; // TAG or ATTR
node.beg= attr; node.beg= attr;
node.end= attr + len; node.end= attr + len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment