database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-12-24 11:21:21 +03:00
Code Activity

Bug#28558 UpdateXML called with garbage crashes server

Browse Source 
Problem: Memory overrun happened in attempts to generate
error messages (e.g. in case of incorrect XPath syntax).
Reason: set_if_bigger() was used instead of set_if_smaller().
Change: replacing wrong set_if_bigger() to set_if_smaller(),
and making minor additional code clean-ups.


mysql-test/r/xml.result:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
mysql-test/t/xml.test:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
sql/item_xmlfunc.cc:
  - fixing incorrect set_if_bigger to set_if_smaller in two places
  - getting read of unnesessary "char context[32]" variable and
    using '%.*s' instead if '%s' in the error format.
This commit is contained in:
unknown
2007-05-23 12:34:47 +05:00
parent b626d5d78e
commit 1da8ea2ee0
3 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
mysql-test/t/xml.test
View File

@@ -523,3 +523,13 @@ CALL spxml('<a><b>b1</b><b>b2</b></a>', '1 and string');
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string and 1');
CALL spxml('<a><b>b1</b><b>b2</b></a>', 'string');
DROP PROCEDURE spxml;
#
# Bug#28558 UpdateXML called with garbage crashes server
#
--error 1105
select UpdateXML('<a>a</a>',repeat('a b ',1000),'');
--error 1105
select ExtractValue('<a>a</a>', '/a[@x=@y0123456789_0123456789_0123456789_0123456789]');
--error 1105
select ExtractValue('<a>a</a>', '/a[@x=$y0123456789_0123456789_0123456789_0123456789]');