Bug#28558 UpdateXML called with garbage crashes server

Problem: Memory overrun happened in attempts to generate error messages (e.g. in case of incorrect XPath syntax). Reason: set_if_bigger() was used instead of set_if_smaller(). Change: replacing wrong set_if_bigger() to set_if_smaller(), and making minor additional code clean-ups. mysql-test/r/xml.result: Adding test cases for all pieces of code with set_if_smaller() followed by my_printf_error(). mysql-test/t/xml.test: Adding test cases for all pieces of code with set_if_smaller() followed by my_printf_error(). sql/item_xmlfunc.cc: - fixing incorrect set_if_bigger to set_if_smaller in two places - getting read of unnesessary "char context[32]" variable and using '%.*s' instead if '%s' in the error format.
2007-05-23 12:34:47 +05:00 · 2007-05-23 12:34:47 +05:00 · 1da8ea2ee0
commit 1da8ea2ee0
parent b626d5d78e
3 changed files with 21 additions and 7 deletions
--- a/mysql-test/r/xml.result
+++ b/mysql-test/r/xml.result
@ -1006,3 +1006,9 @@ Warnings:
 Warning	1292	Truncated incorrect INTEGER value: 'string          '
 Warning	1292	Truncated incorrect INTEGER value: 'string          '
 DROP PROCEDURE spxml;
+select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
+ERROR HY000: XPATH syntax error: 'b a b a b a b a b a b a b a b a '
+select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
+ERROR HY000: XPATH error: comparison of two nodesets is not supported: '=@y0123456789_0123456789_0123456'
+select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
+ERROR HY000: Unknown XPATH variable at: '$y0123456789_0123456789_01234567'
--- a/mysql-test/t/xml.test
+++ b/mysql-test/t/xml.test
@ -523,3 +523,13 @@ CALL spxml('<a><b>b1</b><b>b2</b></a>', '1 and string');
 CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string and 1');
 CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string');
 DROP PROCEDURE spxml;
+
+#
+# Bug#28558 UpdateXML called with garbage crashes server
+#
+--error 1105
+select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
+--error 1105
+select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
+--error 1105
+select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@ -923,8 +923,8 @@ static Item *create_comparator(MY_XPATH *xpath,
  else if (a->type() == Item::XPATH_NODESET &&
           b->type() == Item::XPATH_NODESET)
  {
-    uint len= context->end - context->beg;
-    set_if_bigger(len, 32);
+    uint len= xpath->query.end - context->beg;
+    set_if_smaller(len, 32);
    my_printf_error(ER_UNKNOWN_ERROR,
                    "XPATH error: "
                    "comparison of two nodesets is not supported: '%.*s'",
@ -2591,12 +2591,10 @@ void Item_xml_str_func::fix_length_and_dec()

  if (!rc)
  {
-    char context[32];
    uint clen= xpath.query.end - xpath.lasttok.beg;
-    set_if_bigger(clen, sizeof(context) - 1);
-    strmake(context, xpath.lasttok.beg, clen);
-    my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%s'", 
-                    MYF(0), context);
+    set_if_smaller(clen, 32);
+    my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%.*s'",
+                    MYF(0), clen, xpath.lasttok.beg);
    return;
  }