diff options
| author | Alexander Barkov <alexander.barkov@oracle.com> | 2011-01-18 09:50:03 +0300 |
|---|---|---|
| committer | Alexander Barkov <alexander.barkov@oracle.com> | 2011-01-18 09:50:03 +0300 |
| commit | daf602a2236e7bf1a2193057b0524d8f8a7743a5 (patch) | |
| tree | 4c1a9099a9669e9c5c3ccd7b2a331902d47c1240 | |
| parent | 377c9661e4dbd478ddc602a8bdbd1cf150e45a17 (diff) | |
| parent | 5574a2cd91eaf76fd2263b38d64d8c617d3c1d02 (diff) | |
| download | mariadb-git-daf602a2236e7bf1a2193057b0524d8f8a7743a5.tar.gz | |
Merging from 5.1.
| -rw-r--r-- | mysql-test/r/xml.result | 11 | ||||
| -rw-r--r-- | mysql-test/t/xml.test | 5 | ||||
| -rw-r--r-- | strings/xml.c | 23 |
3 files changed, 33 insertions, 6 deletions
diff --git a/mysql-test/r/xml.result b/mysql-test/r/xml.result index 6b7ba57ce2e..4568775d3fd 100644 --- a/mysql-test/r/xml.result +++ b/mysql-test/r/xml.result @@ -1113,6 +1113,17 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1); ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing +# +# Bug #44332 my_xml_scan reads behind the end of buffer +# +SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1'); +UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1') +NULL +Warnings: +Warning 1525 Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT unexpected (ident or '/' wanted)' +SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1'); +UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1') +NULL End of 5.1 tests # # Start of 5.5 tests diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test index 1dc5eadbccc..3bc580fe4e5 100644 --- a/mysql-test/t/xml.test +++ b/mysql-test/t/xml.test @@ -640,6 +640,11 @@ SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1); --error ER_ILLEGAL_VALUE_FOR_TYPE SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); +--echo # +--echo # Bug #44332 my_xml_scan reads behind the end of buffer +--echo # +SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1'); +SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1'); --echo End of 5.1 tests diff --git a/strings/xml.c b/strings/xml.c index f3cfaad54fa..dee9da2864c 100644 --- a/strings/xml.c +++ b/strings/xml.c @@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a) } +static inline my_bool +my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen) +{ + return (p->cur + slen > p->end) || memcmp(p->cur, s, slen); +} + + static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) { int lex; @@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) a->beg=p->cur; a->end=p->cur; - if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4)) + if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--"))) { - for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++) - {} - if (!memcmp(p->cur, "-->", 3)) - p->cur+=3; + for (; p->cur < p->end; p->cur++) + { + if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->"))) + { + p->cur+= 3; + break; + } + } a->end=p->cur; lex=MY_XML_COMMENT; } - else if (!memcmp(p->cur, "<![CDATA[",9)) + else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA["))) { p->cur+= 9; for (; p->cur < p->end - 2 ; p->cur++) |