Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332

Problem: a byte behind the end of input string was read in case of a broken XML not having a quote or doublequote character closing a string value. Fix: changing condition not to read behind the end of input string @ mysql-test/r/xml.result @ mysql-test/t/xml.test Adding tests @ strings/xml.c When checking if the closing quote/doublequote was found, using p->cur[0] us unsafe, as p->cur can point to the byte after the value. Comparing p->cur to p->beg instead.

Bug#11766725 (Bug#59901) EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
Problem: a byte behind the end of input string was read in case of a broken XML not having a quote or doublequote character closing a string value. Fix: changing condition not to read behind the end of input string @ mysql-test/r/xml.result @ mysql-test/t/xml.test Adding tests @ strings/xml.c When checking if the closing quote/doublequote was found, using p->cur[0] us unsafe, as p->cur can point to the byte after the value. Comparing p->cur to p->beg instead.
fd1e3b03 · Alexander Barkov · fc6197ab · fd1e3b03 · fd1e3b03 · fd1e3b03
Commit fd1e3b03 authored Mar 01, 2011 by Alexander Barkov
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 1 deletion

mysql-test/r/xml.result mysql-test/r/xml.result +8 -0

mysql-test/t/xml.test mysql-test/t/xml.test +5 -0

strings/xml.c strings/xml.c +6 -1

No files found.
--- a/mysql-test/r/xml.result
+++ b/mysql-test/r/xml.result
@@ -1124,4 +1124,12 @@ Warning	1525	Incorrect XML value: 'parse error at line 1 pos 2: END-OF-INPUT une
 SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');
 UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1')
 NULL
+#
+# Bug#11766725 (bug#59901): EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
+#
+SELECT ExtractValue(CONVERT('<\"', BINARY(10)), 1);
+ExtractValue(CONVERT('<\"', BINARY(10)), 1)
+NULL
+Warnings:
+Warning	1525	Incorrect XML value: 'parse error at line 1 pos 11: STRING unexpected (ident or '/' wanted)'
 End of 5.1 tests
--- a/mysql-test/t/xml.test
+++ b/mysql-test/t/xml.test
@@ -646,4 +646,9 @@ SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 SELECT UPDATEXML(CONVERT(_latin1'<' USING utf8),'1','1');
 SELECT UPDATEXML(CONVERT(_latin1'<!--' USING utf8),'1','1');

+--echo #
+--echo # Bug#11766725 (bug#59901): EXTRACTVALUE STILL BROKEN AFTER FIX FOR BUG #44332
+--echo #
+SELECT ExtractValue(CONVERT('<\"', BINARY(10)), 1);
+
 --echo End of 5.1 tests
--- a/strings/xml.c
+++ b/strings/xml.c
@@ -165,11 +165,16 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
  }
  else if ( (p->cur[0] == '"') || (p->cur[0] == '\'') )
  {
+    /*
+      "string" or 'string' found.
+      Scan until the closing quote/doublequote, or until the END-OF-INPUT.
+    */
    p->cur++;
    for (; ( p->cur < p->end ) && (p->cur[0] != a->beg[0]); p->cur++)
    {}
    a->end=p->cur;
-    if (a->beg[0] == p->cur[0])p->cur++;
+    if (p->cur < p->end) /* Closing quote or doublequote has been found */
+      p->cur++;
    a->beg++;
    if (!(p->flags & MY_XML_FLAG_SKIP_TEXT_NORMALIZATION))
      my_xml_norm_text(a);