Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.

Problem: tag's buffer overflow leads to a problem. Fix: bound check added.
author: Ramil Kalimullin <ramil.kalimullin@oracle.com> 2012-12-14 13:55:30 +0400
committer: Ramil Kalimullin <ramil.kalimullin@oracle.com> 2012-12-14 13:55:30 +0400
commit: b92b7a42fd6dadd8e3491a6d87d6215a02b94eac (patch)
tree: 0336d1b0eaad778ec0418a7faed66f4c347bbe67 /sql/item_xmlfunc.cc
parent: 0b10e6d03f8733f66eaf764e237250a4cc934900 (diff)
download: mariadb-git-b92b7a42fd6dadd8e3491a6d87d6215a02b94eac.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 751c975b48e..4140fcfb11c 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -2669,8 +2669,12 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)
 
   node.parent= data->parent; // Set parent for the new node to old parent
   data->parent= numnodes;    // Remember current node as new parent
+  DBUG_ASSERT(data->level <= MAX_LEVEL);
   data->pos[data->level]= numnodes;
-  node.level= data->level++;
+  if (data->level < MAX_LEVEL)
+    node.level= data->level++;
+  else
+    return MY_XML_ERROR;
   node.type= st->current_node_type; // TAG or ATTR
   node.beg= attr;
   node.end= attr + len;
author	Ramil Kalimullin <ramil.kalimullin@oracle.com>	2012-12-14 13:55:30 +0400
committer	Ramil Kalimullin <ramil.kalimullin@oracle.com>	2012-12-14 13:55:30 +0400
commit	b92b7a42fd6dadd8e3491a6d87d6215a02b94eac (patch)
tree	0336d1b0eaad778ec0418a7faed66f4c347bbe67 /sql/item_xmlfunc.cc
parent	0b10e6d03f8733f66eaf764e237250a4cc934900 (diff)
download	mariadb-git-b92b7a42fd6dadd8e3491a6d87d6215a02b94eac.tar.gz