Bug#44332 my_xml_scan reads behind the end of buffer

Problem: the scanner function tested for strings "<![CDATA[" and "-->" without checking input string boundaries, which led to valgrind's "Conditional jump or move depends on uninitialised value(s)" error. Fix: Adding boundary checking. @ mysql-test/r/xml.result @ mysql-test/t/xml.test Adding test @ strings/xml.c Adding a helper function my_xml_parser_prefix_cmp(), with input string boundary check.
2025-07-29 05:21:33 +03:00 · 2011-01-18 09:38:41 +03:00
parent f25ab9fe22
commit cf0e22fe75
3 changed files with 33 additions and 6 deletions
--- a/strings/xml.c
+++ b/strings/xml.c
@ -106,6 +106,13 @@ static void my_xml_norm_text(MY_XML_ATTR *a)
 }


+static inline my_bool
+my_xml_parser_prefix_cmp(MY_XML_PARSER *p, const char *s, size_t slen)
+{
+  return (p->cur + slen > p->end) || memcmp(p->cur, s, slen);
+}
+
+
 static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
 {
  int lex;
@ -123,16 +130,20 @@ static int my_xml_scan(MY_XML_PARSER *p,MY_XML_ATTR *a)
  a->beg=p->cur;
  a->end=p->cur;
  
-  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
+  if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<!--")))
  {
-    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
-    {}
-    if (!memcmp(p->cur, "-->", 3))
-      p->cur+=3;
+    for (; p->cur < p->end; p->cur++)
+    {
+      if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("-->")))
+      {
+        p->cur+= 3;
+        break;
+      }
+    }
    a->end=p->cur;
    lex=MY_XML_COMMENT;
  }
-  else if (!memcmp(p->cur, "<![CDATA[",9))
+  else if (!my_xml_parser_prefix_cmp(p, C_STRING_WITH_LEN("<![CDATA[")))
  {
    p->cur+= 9;
    for (; p->cur < p->end - 2 ; p->cur++)