Bug#44332 my_xml_scan reads behind the end of buffer

Problem: the scanner function tested for strings "<![CDATA[" and
"-->" without checking input string boundaries, which led to valgrind's
"Conditional jump or move depends on uninitialised value(s)" error.

Fix: Adding boundary checking.

  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  Adding test

  @ strings/xml.c
  Adding a helper function my_xml_parser_prefix_cmp(),
  with input string boundary check.

mysql-test/r/xml.result

@@ -1113,4 +1113,15 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+#
+# Bug #44332 	my_xml_scan reads behind the end of buffer
+#
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1')
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)'
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
+UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
+NULL
 End of 5.1 tests

mysql-test/t/xml.test

@@ -640,5 +640,10 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
 --error ER_ILLEGAL_VALUE_FOR_TYPE
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 
+--echo #
+--echo # Bug #44332 	my_xml_scan reads behind the end of buffer
+--echo #
+SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
+SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 
 --echo End of 5.1 tests

strings/xml.c

@@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a)
 }
 
 
+static inline my_bool
+my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
+{
+  return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
+}
+
+
 static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
 {
   int lex;
@@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
   a->beg=p->cur;
   a->end=p->cur;
   
-  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
+  if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
   {
-    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
+    for (; p->cur < p->end; p->cur++)
-    {}
+    {
-    if (!memcmp(p->cur, "-->", 3))
+      if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
-      p->cur+=3;
+      {
+        p->cur+= 3;
+        break;
+      }
+    }
     a->end=p->cur;
     lex=MY_XML_COMMENT;
   }
-  else if (!memcmp(p->cur, "<![CDATA[",9))
+  else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
   {
     p->cur+= 9;
     for (; p->cur < p->end - 2 ; p->cur++)