Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332

Problem: a byte behind the end of input string was read
in case of a broken XML not having a quote or doublequote
character closing a string value.

Fix: changing condition not to read behind the end of input string

  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  Adding tests

  @ strings/xml.c
  When checking if the closing quote/doublequote was found,
  using p->cur[0] us unsafe, as p->cur can point to the byte after the value.
  Comparing p->cur to p->beg instead.

1 files changed, 6 insertions, 1 deletions

diff --git a/strings/xml.c b/strings/xml.c
index 29ce74e36a0..abe40810a97 100644
--- a/strings/xml.c
+++ b/strings/xml.c
@@ -165,11 +165,16 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
   }
   else if ( (p->cur[0] == '"') || (p->cur[0] == '\'') )
   {
+    /*
+      "string" or 'string' found.
+      Scan until the closing quote/doublequote, or until the END-OF-INPUT.
+    */
     p->cur++;
     for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++)
     {}
     a->end=p->cur;
-    if (a->beg[0] == p->cur[0])p->cur++;
+    if (p->cur < p->end) /* Closing quote or doublequote has been found */
+      p->cur++;
     a->beg++;
     if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION))
       my_xml_norm_text(a);