diff options
author | Alexander Barkov <alexander.barkov@oracle.com> | 2011-03-01 15:30:18 +0300 |
---|---|---|
committer | Alexander Barkov <alexander.barkov@oracle.com> | 2011-03-01 15:30:18 +0300 |
commit | fd1e3b03ff8837e8af1a8aa486cc2b13f872861f (patch) | |
tree | 89b6f3eeec25b3189245d4f7af8ff68b73d9d6db /strings | |
parent | fc6197ab2a990a45db241e0ad753952c8bbb3809 (diff) | |
download | mariadb-git-fd1e3b03ff8837e8af1a8aa486cc2b13f872861f.tar.gz |
Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
Problem: a byte behind the end of input string was read
in case of a broken XML not having a quote or doublequote
character closing a string value.
Fix: changing condition not to read behind the end of input string
@ mysql-test/r/xml.result
@ mysql-test/t/xml.test
Adding tests
@ strings/xml.c
When checking if the closing quote/doublequote was found,
using p->cur[0] us unsafe, as p->cur can point to the byte after the value.
Comparing p->cur to p->beg instead.
Diffstat (limited to 'strings')
-rw-r--r-- | strings/xml.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/strings/xml.c b/strings/xml.c index 29ce74e36a0..abe40810a97 100644 --- a/strings/xml.c +++ b/strings/xml.c @@ -165,11 +165,16 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) } else if ( (p->cur[0] == '"') || (p->cur[0] == '\'') ) { + /* + "string" or 'string' found. + Scan until the closing quote/doublequote, or until the END-OF-INPUT. + */ p->cur++; for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++) {} a->end=p->cur; - if (a->beg[0] == p->cur[0])p->cur++; + if (p->cur < p->end) /* Closing quote or doublequote has been found */ + p->cur++; a->beg++; if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION)) my_xml_norm_text(a); |