database/mariadb
database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-05-29 21:42:28 +03:00
Code

Bug#58175 xml functions read initialized bytes when conversions happen

Browse Source 
Problem:

 nr_of_decimals could read behind the end of the buffer
 in case of a non-null-terminated string, which caused
 valgring warnings.

Fix:

  fixing nr_of_decimals not to read behind the "end" pointer.

modified:

  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  @ sql/item.cc
This commit is contained in:
Alexander Barkov 2010-11-19 18:24:29 +03:00
parent 1ab1cb8a77
commit 677639f46a
3 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
mysql-test/r/xml.result
View File

@ -1101,3 +1101,16 @@ ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111
SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1)); SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
End of 5.1 tests End of 5.1 tests
#
# Start of 5.5 tests
#
#
# Bug#58175 xml functions read initialized bytes when conversions happen
#
SET NAMES latin1;
SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0);
UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0)
NULL
#
# End of 5.5 tests
#

15
mysql-test/t/xml.test
View File

@ -628,3 +628,18 @@ SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
--echo End of 5.1 tests --echo End of 5.1 tests
--echo #
--echo # Start of 5.5 tests
--echo #
--echo #
--echo # Bug#58175 xml functions read initialized bytes when conversions happen
--echo #
SET NAMES latin1;
SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0);
--echo #
--echo # End of 5.5 tests
--echo #

21
sql/item.cc
View File

@ -5527,10 +5527,27 @@ static uint nr_of_decimals(const char *str, const char *end)
break; break;
} }
decimal_point= str; decimal_point= str;
for (; my_isdigit(system_charset_info, *str) ; str++) for ( ; str < end && my_isdigit(system_charset_info, *str) ; str++)
; ;
if (*str == 'e' || *str == 'E') if (str < end && (*str == 'e' || *str == 'E'))
return NOT_FIXED_DEC; return NOT_FIXED_DEC;
/*
QQ:
The number of decimal digist in fact should be (str - decimal_point - 1).
But it seems the result of nr_of_decimals() is never used!
In case of 'e' and 'E' nr_of_decimals returns NOT_FIXED_DEC.
In case if there is no 'e' or 'E' parser code in sql_yacc.yy
never calls Item_float::Item_float() - it creates Item_decimal instead.
The only piece of code where we call Item_float::Item_float(str, len)
without having 'e' or 'E' is item_xmlfunc.cc, but this Item_float
never appears in metadata itself. Changing the code to return
(str - decimal_point - 1) does not make any changes in the test results.
This should be addressed somehow.
Looks like a reminder from before real DECIMAL times.
*/
return (uint) (str - decimal_point); return (uint) (str - decimal_point);
} }