From dafbdc788a1fe551990c736daaf2a39998f4cbc0 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Mon, 5 Dec 2016 15:36:23 +0200 Subject: [PATCH] Bug #25111907: XML TEST FAILS WITH UNDEFINED BEHAVIOR The XML parser position stack for each level is with a fixed depth. So a bounds check was done to ensure that this depth is not exceeded. But it was off by one (i.e. the size of the array was a valid index). Fixed by decreasing the allowable depth by one to match the maximum number of elements in the position stack. --- sql/item_xmlfunc.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc index 2c8aab83ed9..31cd4fdd170 100644 --- a/sql/item_xmlfunc.cc +++ b/sql/item_xmlfunc.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -2695,9 +2695,9 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len) node.parent= data->parent; // Set parent for the new node to old parent data->parent= numnodes; // Remember current node as new parent - DBUG_ASSERT(data->level <= MAX_LEVEL); + DBUG_ASSERT(data->level < MAX_LEVEL); data->pos[data->level]= numnodes; - if (data->level < MAX_LEVEL) + if (data->level < MAX_LEVEL - 1) node.level= data->level++; else return MY_XML_ERROR;