From 0fa867fd9105dc6ccce8437df0ce7f03b89bec92 Mon Sep 17 00:00:00 2001
From: Ramil Kalimullin <ramil.kalimullin@oracle.com>
Date: Fri, 14 Dec 2012 13:55:30 +0400
Subject: [PATCH] Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.

Problem: tag's buffer overflow leads to a problem.
Fix: bound check added.


sql/item_xmlfunc.cc:
  Fix for BUG#15948580 UPDATE_XML() CRASHES THE SERVER.

    - XML tag/attribute level shouldn't exceed MAX_LEVEL as we use a
  static buffer to store them in the MY_XML_USER_DATA.
---
 sql/item_xmlfunc.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 751c975b48e..4140fcfb11c 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -2669,8 +2669,12 @@ int xml_enter(MY_XML_PARSER *st,const char *attr, size_t len)
 
   node.parent= data->parent; // Set parent for the new node to old parent
   data->parent= numnodes;    // Remember current node as new parent
+  DBUG_ASSERT(data->level <= MAX_LEVEL);
   data->pos[data->level]= numnodes;
-  node.level= data->level++;
+  if (data->level < MAX_LEVEL)
+    node.level= data->level++;
+  else
+    return MY_XML_ERROR;
   node.type= st->current_node_type; // TAG or ATTR
   node.beg= attr;
   node.end= attr + len;