Bug#57257 Replace(ExtractValue(...)) causes MySQL crash

Bug#57820 extractvalue crashes Problem: ExtractValue and Replace crashed in some cases due to invalid handling of empty and NULL arguments. Per file comments: @mysql-test/r/ctype_ujis.result @mysql-test/r/xml.result @mysql-test/t/ctype_ujis.test @mysql-test/t/xml.test Adding tests @sql/item_strfunc.cc Make sure Item_func_replace::val_str safely handles empty strings. @sql/item_xmlfunc.cc set null_value if nodeset_func returned NULL, which is possible when the second argument is an unset user variable.
author: Alexander Barkov <bar@mysql.com> 2010-11-11 13:25:23 +0300
committer: Alexander Barkov <bar@mysql.com> 2010-11-11 13:25:23 +0300
commit: aa668865e271694e9b3ebbfe518cb4d0c2ad0c38 (patch)
tree: c6f7021e2960150a80f50095d0a6d53262e74c33
parent: 9f71cfc0a965b581c1aa1744d3e092f6f1493a49 (diff)
download: mariadb-git-aa668865e271694e9b3ebbfe518cb4d0c2ad0c38.tar.gz
6 files changed, 50 insertions, 3 deletions
diff --git a/mysql-test/r/ctype_ujis.result b/mysql-test/r/ctype_ujis.result
index 540ba178756..765ad5a96ca 100644
--- a/mysql-test/r/ctype_ujis.result
+++ b/mysql-test/r/ctype_ujis.result
@@ -2374,6 +2374,16 @@ hex(convert(_latin1 0xA4A2 using ujis))	hex(c2)
 DROP PROCEDURE sp1;
 DROP TABLE t1;
 DROP TABLE t2;
+#
+# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+#
+SET NAMES utf8;
+SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis);
+CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis)
+
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: 'a'
+Warning	1292	Truncated incorrect INTEGER value: 'a'
 set names default;
 set character_set_database=default;
 set character_set_server=default;
diff --git a/mysql-test/r/xml.result b/mysql-test/r/xml.result
index fad2cab0e57..e6811789679 100644
--- a/mysql-test/r/xml.result
+++ b/mysql-test/r/xml.result
@@ -1093,4 +1093,17 @@ Warnings:
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 DROP TABLE t1;
+#
+# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+#
+SET NAMES utf8;
+SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds','');
+REPLACE(EXTRACTVALUE('1', '/a'),'ds','')
+
+#
+# Bug #57820 extractvalue crashes
+#
+SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k')));
+AVG(DISTINCT EXTRACTVALUE((''),('$@k')))
+NULL
 End of 5.1 tests
diff --git a/mysql-test/t/ctype_ujis.test b/mysql-test/t/ctype_ujis.test
index 400f1301dd3..4c29a2e11a0 100644
--- a/mysql-test/t/ctype_ujis.test
+++ b/mysql-test/t/ctype_ujis.test
@@ -1209,6 +1209,13 @@ DROP PROCEDURE sp1;
 DROP TABLE t1;
 DROP TABLE t2;
 
+--echo #
+--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+--echo #
+SET NAMES utf8;
+SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis);
+
+
 set names default;
 set character_set_database=default;
 set character_set_server=default;
diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test
index 6e7d38cdfca..a8917fc9fe7 100644
--- a/mysql-test/t/xml.test
+++ b/mysql-test/t/xml.test
@@ -617,4 +617,15 @@ FROM t1 ORDER BY t1.id;
 
 DROP TABLE t1;
 
+--echo #
+--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
+--echo #
+SET NAMES utf8;
+SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds','');
+
+--echo #
+--echo # Bug #57820 extractvalue crashes
+--echo #
+SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k')));
+
 --echo End of 5.1 tests
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 8fda281bd9e..fd5c47d25cb 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -904,9 +904,15 @@ String *Item_func_replace::val_str(String *str)
     search=res2->ptr();
     search_end=search+from_length;
 redo:
+    DBUG_ASSERT(res->ptr() || !offset);
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : NULL;
     while (ptr < end)
     {
         if (*ptr == *search)
diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 3e20b90e68e..364311877e0 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -2790,12 +2790,12 @@ String *Item_func_xml_extractvalue::val_str(String *str)
   null_value= 0;
   if (!nodeset_func ||
       !(res= args[0]->val_str(str)) || 
-      !parse_xml(res, &pxml))
+      !parse_xml(res, &pxml) ||
+      !(res= nodeset_func->val_str(&tmp_value)))
   {
     null_value= 1;
     return 0;
   }
-  res= nodeset_func->val_str(&tmp_value);
   return res;  
 }
author	Alexander Barkov <bar@mysql.com>	2010-11-11 13:25:23 +0300
committer	Alexander Barkov <bar@mysql.com>	2010-11-11 13:25:23 +0300
commit	aa668865e271694e9b3ebbfe518cb4d0c2ad0c38 (patch)
tree	c6f7021e2960150a80f50095d0a6d53262e74c33
parent	9f71cfc0a965b581c1aa1744d3e092f6f1493a49 (diff)
download	mariadb-git-aa668865e271694e9b3ebbfe518cb4d0c2ad0c38.tar.gz