From 1da8ea2ee06f67b3e498520fe22900c748b31dcf Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 23 May 2007 12:34:47 +0500 Subject: Bug#28558 UpdateXML called with garbage crashes server Problem: Memory overrun happened in attempts to generate error messages (e.g. in case of incorrect XPath syntax). Reason: set_if_bigger() was used instead of set_if_smaller(). Change: replacing wrong set_if_bigger() to set_if_smaller(), and making minor additional code clean-ups. mysql-test/r/xml.result: Adding test cases for all pieces of code with set_if_smaller() followed by my_printf_error(). mysql-test/t/xml.test: Adding test cases for all pieces of code with set_if_smaller() followed by my_printf_error(). sql/item_xmlfunc.cc: - fixing incorrect set_if_bigger to set_if_smaller in two places - getting read of unnesessary "char context[32]" variable and using '%.*s' instead if '%s' in the error format. --- mysql-test/t/xml.test | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'mysql-test/t/xml.test') diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test index 28abd3475d2..1d16652ab1e 100644 --- a/mysql-test/t/xml.test +++ b/mysql-test/t/xml.test @@ -523,3 +523,13 @@ CALL spxml('b1b2', '1 and string'); CALL spxml('b1b2', 'string and 1'); CALL spxml('b1b2', 'string'); DROP PROCEDURE spxml; + +# +# Bug#28558 UpdateXML called with garbage crashes server +# +--error 1105 +select UpdateXML('a',repeat('a b ',1000),''); +--error 1105 +select ExtractValue('a', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]'); +--error 1105 +select ExtractValue('a', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]'); -- cgit v1.2.1