From f80d5653778ce324866744de92574491557f529f Mon Sep 17 00:00:00 2001
From: Anirudh Mangipudi <anirudh.mangipudi@oracle.com>
Date: Mon, 25 Nov 2013 13:49:07 +0530
Subject: Bug#12428404 MYSQLD.EXE CRASHES WHEN EXTRACTVALUE() IS CALLED WITH
 MALFORMED XPATH EXP Problem: A malformed XPATH expression in the ExtractValue
 query is causing a server crash. This malformed XPATH expression is resulted
 when the position attribute in the substring function contains ".." in the
 beginning. Solution: The original crash is happening because the "../" is
 being evaluated prematurely. It tries to access XML while it hasn't been
 parsed yet. The premature evaluation is happening because the val_nodeset
 function is being set to constant, in which case we proceed to evaluate them
 in JOIN:prepare stage only. The solution to this is setting the val_nodeset
 functions as non-constant. This forces us to evaluate the function  in the
 JOIN:exec stage and thus avoid any premature evaluation of the XML strings.

---
 sql/item_xmlfunc.cc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'sql/item_xmlfunc.cc')

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index ef2cd8fa2c1..173791c3128 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -220,6 +220,9 @@ public:
   {
     max_length= MAX_BLOB_WIDTH;
     collation.collation= pxml->charset();
+    // To avoid premature evaluation, mark all nodeset functions as non-const.
+    used_tables_cache= RAND_TABLE_BIT;
+    const_item_cache= false;
   }
   const char *func_name() const { return "nodeset"; }
 };
-- 
cgit v1.2.1