Commit cf0e22fe authored by Alexander Barkov's avatar Alexander Barkov

Bug#44332 my_xml_scan reads behind the end of buffer

Problem: the scanner function tested for strings "<![CDATA[" and
"-->" without checking input string boundaries, which led to valgrind's
"Conditional jump or move depends on uninitialised value(s)" error.

Fix: Adding boundary checking.

  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  Adding test

  @ strings/xml.c
  Adding a helper function my_xml_parser_prefix_cmp(),
  with input string boundary check.
parent f25ab9fe
...@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1); ...@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
#
# Bug #44332 my_xml_scan reads behind the end of buffer
#
SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1')
NULL
Warnings:
Warning 1525 Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)'
SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
NULL
End of 5.1 tests End of 5.1 tests
...@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1); ...@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
--error ER_ILLEGAL_VALUE_FOR_TYPE --error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
--echo #
--echo # Bug #44332 my_xml_scan reads behind the end of buffer
--echo #
SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
--echo End of 5.1 tests --echo End of 5.1 tests
...@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a) ...@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a)
} }
static inline my_bool
my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
{
return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
}
static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
{ {
int lex; int lex;
...@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) ...@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
a->beg=p->cur; a->beg=p->cur;
a->end=p->cur; a->end=p->cur;
if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4)) if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
{ {
for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++) for (; p->cur < p->end; p->cur++)
{} {
if (!memcmp(p->cur, "-->", 3)) if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
p->cur+=3; {
p->cur+= 3;
break;
}
}
a->end=p->cur; a->end=p->cur;
lex=MY_XML_COMMENT; lex=MY_XML_COMMENT;
} }
else if (!memcmp(p->cur, "<![CDATA[",9)) else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
{ {
p->cur+= 9; p->cur+= 9;
for (; p->cur < p->end - 2 ; p->cur++) for (; p->cur < p->end - 2 ; p->cur++)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment