Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.

Problem: tag's buffer overflow leads to a problem. Fix: bound check added. sql/item_xmlfunc.cc: Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER. - XML tag/attribute level shouldn't exceed MAX_LEVEL as we use a static buffer to store them in the MY_XML_USER_DATA.
author: Ramil Kalimullin <ramil.kalimullin@oracle.com> 2012-12-14 13:55:30 +0400
committer: Ramil Kalimullin <ramil.kalimullin@oracle.com> 2012-12-14 13:55:30 +0400
commit: 0fa867fd9105dc6ccce8437df0ce7f03b89bec92 (patch)
tree: 0336d1b0eaad778ec0418a7faed66f4c347bbe67 /sql/item_xmlfunc.cc
parent: 117e2d1b6b13998d1aa19f4192813bd97488bafb (diff)
download: mariadb-git-0fa867fd9105dc6ccce8437df0ce7f03b89bec92.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 751c975b48e..4140fcfb11c 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -2669,8 +2669,12 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)
 
   node.parent= data->parent; // Set parent for the new node to old parent
   data->parent= numnodes;    // Remember current node as new parent
+  DBUG_ASSERT(data->level <= MAX_LEVEL);
   data->pos[data->level]= numnodes;
-  node.level= data->level++;
+  if (data->level < MAX_LEVEL)
+    node.level= data->level++;
+  else
+    return MY_XML_ERROR;
   node.type= st->current_node_type; // TAG or ATTR
   node.beg= attr;
   node.end= attr + len;
author	Ramil Kalimullin <ramil.kalimullin@oracle.com>	2012-12-14 13:55:30 +0400
committer	Ramil Kalimullin <ramil.kalimullin@oracle.com>	2012-12-14 13:55:30 +0400
commit	0fa867fd9105dc6ccce8437df0ce7f03b89bec92 (patch)
tree	0336d1b0eaad778ec0418a7faed66f4c347bbe67 /sql/item_xmlfunc.cc
parent	117e2d1b6b13998d1aa19f4192813bd97488bafb (diff)
download	mariadb-git-0fa867fd9105dc6ccce8437df0ce7f03b89bec92.tar.gz