diff options
| author | Alexander Barkov <bar@mysql.com> | 2010-11-19 18:24:29 +0300 |
|---|---|---|
| committer | Alexander Barkov <bar@mysql.com> | 2010-11-19 18:24:29 +0300 |
| commit | 76ce2feb5fb5a280049c49becad3806cd58db5c3 (patch) | |
| tree | efbe34819c43d94c8b3ea1f93af2d718e0dbb796 | |
| parent | e4361481436a800da0bf27e3298b8fa52a39b8ae (diff) | |
| download | mariadb-git-76ce2feb5fb5a280049c49becad3806cd58db5c3.tar.gz | |
Bug#58175 xml functions read initialized bytes when conversions happen
Problem:
nr_of_decimals could read behind the end of the buffer
in case of a non-null-terminated string, which caused
valgring warnings.
Fix:
fixing nr_of_decimals not to read behind the "end" pointer.
modified:
@ mysql-test/r/xml.result
@ mysql-test/t/xml.test
@ sql/item.cc
| -rw-r--r-- | mysql-test/r/xml.result | 13 | ||||
| -rw-r--r-- | mysql-test/t/xml.test | 15 | ||||
| -rw-r--r-- | sql/item.cc | 21 |
3 files changed, 47 insertions, 2 deletions
diff --git a/mysql-test/r/xml.result b/mysql-test/r/xml.result index af4cf8efedd..f5cf30e865b 100644 --- a/mysql-test/r/xml.result +++ b/mysql-test/r/xml.result @@ -1101,3 +1101,16 @@ ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing End of 5.1 tests +# +# Start of 5.5 tests +# +# +# Bug#58175 xml functions read initialized bytes when conversions happen +# +SET NAMES latin1; +SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0); +UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0) +NULL +# +# End of 5.5 tests +# diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test index e9f137adf1b..4d5c5e1a91e 100644 --- a/mysql-test/t/xml.test +++ b/mysql-test/t/xml.test @@ -628,3 +628,18 @@ SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); --echo End of 5.1 tests + + +--echo # +--echo # Start of 5.5 tests +--echo # + +--echo # +--echo # Bug#58175 xml functions read initialized bytes when conversions happen +--echo # +SET NAMES latin1; +SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0); + +--echo # +--echo # End of 5.5 tests +--echo # diff --git a/sql/item.cc b/sql/item.cc index 5433693b513..e14c3c95934 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -5527,10 +5527,27 @@ static uint nr_of_decimals(const char *str, const char *end) break; } decimal_point= str; - for (; my_isdigit(system_charset_info, *str) ; str++) + for ( ; str < end && my_isdigit(system_charset_info, *str) ; str++) ; - if (*str == 'e' || *str == 'E') + if (str < end && (*str == 'e' || *str == 'E')) return NOT_FIXED_DEC; + /* + QQ: + The number of decimal digist in fact should be (str - decimal_point - 1). + But it seems the result of nr_of_decimals() is never used! + + In case of 'e' and 'E' nr_of_decimals returns NOT_FIXED_DEC. + In case if there is no 'e' or 'E' parser code in sql_yacc.yy + never calls Item_float::Item_float() - it creates Item_decimal instead. + + The only piece of code where we call Item_float::Item_float(str, len) + without having 'e' or 'E' is item_xmlfunc.cc, but this Item_float + never appears in metadata itself. Changing the code to return + (str - decimal_point - 1) does not make any changes in the test results. + + This should be addressed somehow. + Looks like a reminder from before real DECIMAL times. + */ return (uint) (str - decimal_point); } |