From 19f4e4d6591fba36fa62bd7b1bc083748ff00e04 Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Tue, 18 Jan 2011 09:38:41 +0300 Subject: Bug#44332 my_xml_scan reads behind the end of buffer Problem: the scanner function tested for strings "" without checking input string boundaries, which led to valgrind's "Conditional jump or move depends on uninitialised value(s)" error. Fix: Adding boundary checking. @ mysql-test/r/xml.result @ mysql-test/t/xml.test Adding test @ strings/xml.c Adding a helper function my_xml_parser_prefix_cmp(), with input string boundary check. --- strings/xml.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'strings/xml.c') diff --git a/strings/xml.c b/strings/xml.c index f3cfaad54fa..dee9da2864c 100644 --- a/strings/xml.c +++ b/strings/xml.c @@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a) } +static inline my_bool +my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen) +{ + return (p->cur + slen > p->end) || memcmp(p->cur, s, slen); +} + + static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) { int lex; @@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) a->beg=p->cur; a->end=p->cur; - if ((p->end - p->cur > 3) && !memcmp(p->cur,"", 3); p->cur++) - {} - if (!memcmp(p->cur, "-->", 3)) - p->cur+=3; + for (; p->cur < p->end; p->cur++) + { + if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->"))) + { + p->cur+= 3; + break; + } + } a->end=p->cur; lex=MY_XML_COMMENT; } - else if (!memcmp(p->cur, "cur+= 9; for (; p->cur < p->end - 2 ; p->cur++) -- cgit v1.2.1 From 7f8ebade0f4a190bc4cfe842711d1cc4a9304f34 Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Wed, 19 Jan 2011 16:17:52 +0300 Subject: Updating Copyright information --- strings/xml.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'strings/xml.c') diff --git a/strings/xml.c b/strings/xml.c index dee9da2864c..29ce74e36a0 100644 --- a/strings/xml.c +++ b/strings/xml.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2000 MySQL AB +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit v1.2.1 From e2cab2c5fa1e846be03d23b440c894385e6e296a Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Tue, 1 Mar 2011 15:30:18 +0300 Subject: Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332 Problem: a byte behind the end of input string was read in case of a broken XML not having a quote or doublequote character closing a string value. Fix: changing condition not to read behind the end of input string @ mysql-test/r/xml.result @ mysql-test/t/xml.test Adding tests @ strings/xml.c When checking if the closing quote/doublequote was found, using p->cur[0] us unsafe, as p->cur can point to the byte after the value. Comparing p->cur to p->beg instead. --- strings/xml.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'strings/xml.c') diff --git a/strings/xml.c b/strings/xml.c index 29ce74e36a0..abe40810a97 100644 --- a/strings/xml.c +++ b/strings/xml.c @@ -165,11 +165,16 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a) } else if ( (p->cur[0] == '"') || (p->cur[0] == '\'') ) { + /* + "string" or 'string' found. + Scan until the closing quote/doublequote, or until the END-OF-INPUT. + */ p->cur++; for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++) {} a->end=p->cur; - if (a->beg[0] == p->cur[0])p->cur++; + if (p->cur < p->end) /* Closing quote or doublequote has been found */ + p->cur++; a->beg++; if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION)) my_xml_norm_text(a); -- cgit v1.2.1