Commit d720c491 authored by Alexander Barkov's avatar Alexander Barkov

Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0

Problem: crash in Item_float constructor on DBUG_ASSERT due
to not null-terminated string parameter.

Fix: making Item_float::Item_float non-null-termintated parameter safe:
- Using temporary buffer when generating error

modified:
  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  @ sql/item.cc
parent aaa370f5
...@@ -1093,4 +1093,11 @@ Warnings: ...@@ -1093,4 +1093,11 @@ Warnings:
Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
DROP TABLE t1; DROP TABLE t1;
#
# Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
#
SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
End of 5.1 tests End of 5.1 tests
...@@ -617,4 +617,14 @@ FROM t1 ORDER BY t1.id; ...@@ -617,4 +617,14 @@ FROM t1 ORDER BY t1.id;
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
--echo #
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
--echo End of 5.1 tests --echo End of 5.1 tests
...@@ -5286,8 +5286,17 @@ static uint nr_of_decimals(const char *str, const char *end) ...@@ -5286,8 +5286,17 @@ static uint nr_of_decimals(const char *str, const char *end)
/** /**
This function is only called during parsing. We will signal an error if This function is only called during parsing:
value is not a true double value (overflow) - when parsing SQL query from sql_yacc.yy
- when parsing XPath query from item_xmlfunc.cc
We will signal an error if value is not a true double value (overflow):
eng: Illegal %s '%-.192s' value found during parsing
Note: the string is NOT null terminated when called from item_xmlfunc.cc,
so this->name will contain some SQL query tail behind the "length" bytes.
This is Ok for now, as this Item is never seen in SHOW,
or EXPLAIN, or anywhere else in metadata.
Item->name should be fixed to use LEX_STRING eventually.
*/ */
Item_float::Item_float(const char *str_arg, uint length) Item_float::Item_float(const char *str_arg, uint length)
...@@ -5298,12 +5307,9 @@ Item_float::Item_float(const char *str_arg, uint length) ...@@ -5298,12 +5307,9 @@ Item_float::Item_float(const char *str_arg, uint length)
&error); &error);
if (error) if (error)
{ {
/* char tmp[NAME_LEN + 1];
Note that we depend on that str_arg is null terminated, which is true my_snprintf(tmp, sizeof(tmp), "%.*s", length, str_arg);
when we are in the parser my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", tmp);
*/
DBUG_ASSERT(str_arg[length] == 0);
my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", (char*) str_arg);
} }
presentation= name=(char*) str_arg; presentation= name=(char*) str_arg;
decimals=(uint8) nr_of_decimals(str_arg, str_arg+length); decimals=(uint8) nr_of_decimals(str_arg, str_arg+length);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment