Bug #25111907: XML TEST FAILS WITH UNDEFINED BEHAVIOR

The XML parser position stack for each level is with a fixed depth.
So a bounds check was done to ensure that this depth is not exceeded.
But it was off by one (i.e. the size of the array was a valid index).
Fixed by decreasing the allowable depth by one to match the maximum
number of elements in the position stack.

1 files changed, 3 insertions, 3 deletions

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 2c8aab83ed9..31cd4fdd170 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -2695,9 +2695,9 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)
 
   node.parent= data->parent; // Set parent for the new node to old parent
   data->parent= numnodes;    // Remember current node as new parent
-  DBUG_ASSERT(data->level <= MAX_LEVEL);
+  DBUG_ASSERT(data->level < MAX_LEVEL);
   data->pos[data->level]= numnodes;
-  if (data->level < MAX_LEVEL)
+  if (data->level < MAX_LEVEL - 1)
     node.level= data->level++;
   else
     return MY_XML_ERROR;