diff options
| -rw-r--r-- | mysql-test/r/ctype_ujis.result | 10 | ||||
| -rw-r--r-- | mysql-test/r/xml.result | 13 | ||||
| -rw-r--r-- | mysql-test/t/ctype_ujis.test | 7 | ||||
| -rw-r--r-- | mysql-test/t/xml.test | 11 | ||||
| -rw-r--r-- | sql/item_strfunc.cc | 8 | ||||
| -rw-r--r-- | sql/item_xmlfunc.cc | 4 |
6 files changed, 50 insertions, 3 deletions
diff --git a/mysql-test/r/ctype_ujis.result b/mysql-test/r/ctype_ujis.result index 540ba178756..765ad5a96ca 100644 --- a/mysql-test/r/ctype_ujis.result +++ b/mysql-test/r/ctype_ujis.result @@ -2374,6 +2374,16 @@ hex(convert(_latin1 0xA4A2 using ujis)) hex(c2) DROP PROCEDURE sp1; DROP TABLE t1; DROP TABLE t2; +# +# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +# +SET NAMES utf8; +SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis); +CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis) + +Warnings: +Warning 1292 Truncated incorrect INTEGER value: 'a' +Warning 1292 Truncated incorrect INTEGER value: 'a' set names default; set character_set_database=default; set character_set_server=default; diff --git a/mysql-test/r/xml.result b/mysql-test/r/xml.result index fad2cab0e57..e6811789679 100644 --- a/mysql-test/r/xml.result +++ b/mysql-test/r/xml.result @@ -1093,4 +1093,17 @@ Warnings: Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' DROP TABLE t1; +# +# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +# +SET NAMES utf8; +SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds',''); +REPLACE(EXTRACTVALUE('1', '/a'),'ds','') + +# +# Bug #57820 extractvalue crashes +# +SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k'))); +AVG(DISTINCT EXTRACTVALUE((''),('$@k'))) +NULL End of 5.1 tests diff --git a/mysql-test/t/ctype_ujis.test b/mysql-test/t/ctype_ujis.test index 400f1301dd3..4c29a2e11a0 100644 --- a/mysql-test/t/ctype_ujis.test +++ b/mysql-test/t/ctype_ujis.test @@ -1209,6 +1209,13 @@ DROP PROCEDURE sp1; DROP TABLE t1; DROP TABLE t2; +--echo # +--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +--echo # +SET NAMES utf8; +SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis); + + set names default; set character_set_database=default; set character_set_server=default; diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test index 6e7d38cdfca..a8917fc9fe7 100644 --- a/mysql-test/t/xml.test +++ b/mysql-test/t/xml.test @@ -617,4 +617,15 @@ FROM t1 ORDER BY t1.id; DROP TABLE t1; +--echo # +--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +--echo # +SET NAMES utf8; +SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds',''); + +--echo # +--echo # Bug #57820 extractvalue crashes +--echo # +SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k'))); + --echo End of 5.1 tests diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 8fda281bd9e..fd5c47d25cb 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -904,9 +904,15 @@ String *Item_func_replace::val_str(String *str) search=res2->ptr(); search_end=search+from_length; redo: + DBUG_ASSERT(res->ptr() || !offset); ptr=res->ptr()+offset; strend=res->ptr()+res->length(); - end=strend-from_length+1; + /* + In some cases val_str() can return empty string + with ptr() == NULL and length() == 0. + Let's check strend to avoid overflow. + */ + end= strend ? strend - from_length + 1 : NULL; while (ptr < end) { if (*ptr == *search) diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc index 3e20b90e68e..364311877e0 100644 --- a/sql/item_xmlfunc.cc +++ b/sql/item_xmlfunc.cc @@ -2790,12 +2790,12 @@ String *Item_func_xml_extractvalue::val_str(String *str) null_value= 0; if (!nodeset_func || !(res= args[0]->val_str(str)) || - !parse_xml(res, &pxml)) + !parse_xml(res, &pxml) || + !(res= nodeset_func->val_str(&tmp_value))) { null_value= 1; return 0; } - res= nodeset_func->val_str(&tmp_value); return res; } |