From aa668865e271694e9b3ebbfe518cb4d0c2ad0c38 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mysql.com>
Date: Thu, 11 Nov 2010 13:25:23 +0300
Subject: Bug#57257 Replace(ExtractValue(...)) causes MySQL crash Bug#57820
 extractvalue crashes

Problem: ExtractValue and Replace crashed in some cases
due to invalid handling of empty and NULL arguments.

Per file comments:

  @mysql-test/r/ctype_ujis.result
  @mysql-test/r/xml.result
  @mysql-test/t/ctype_ujis.test
  @mysql-test/t/xml.test
  Adding tests

  @sql/item_strfunc.cc
  Make sure Item_func_replace::val_str safely handles empty strings.

  @sql/item_xmlfunc.cc
  set null_value if nodeset_func returned NULL,
  which is possible when the second argument is an
  unset user variable.
---
 sql/item_xmlfunc.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sql/item_xmlfunc.cc')

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 3e20b90e68e..364311877e0 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -2790,12 +2790,12 @@ String *Item_func_xml_extractvalue::val_str(String *str)
   null_value= 0;
   if (!nodeset_func ||
       !(res= args[0]->val_str(str)) || 
-      !parse_xml(res, &pxml))
+      !parse_xml(res, &pxml) ||
+      !(res= nodeset_func->val_str(&tmp_value)))
   {
     null_value= 1;
     return 0;
   }
-  res= nodeset_func->val_str(&tmp_value);
   return res;  
 }
 
-- 
cgit v1.2.1