Bug#51571 load xml infile causes server crash

Problem: item->name was NULL for Item_user_var_as_out_param which made strcmp(something, item->name) crash in the LOAD XML code. Fix: - item_func.h: Adding set_name() in constuctor for Item_user_var_as_out_param - sql_load.cc: Changing the condition in write_execute_load_query_log_event() which distiguished between Item_user_var_as_out_param and Item_field from if (item->name == NULL) to if (item->type() == Item::FIELD_ITEM) - loadxml.result, loadxml.test: adding tests
2025-01-16 12:02:42 +01:00 · 2010-05-05 14:34:20 +04:00 · 2010-05-05 14:34:20 +04:00 · 3c93a784d4
commit 3c93a784d4
parent f90f341491
4 changed files with 31 additions and 2 deletions
--- a/mysql-test/r/loadxml.result
+++ b/mysql-test/r/loadxml.result
@ -73,3 +73,23 @@ id	text
 line2
 line3
 drop table t1;
+#
+# Bug#51571 load xml infile causes server crash
+#
+CREATE TABLE t1 (a text, b text);
+LOAD XML INFILE '../../std_data/loadxml.dat' INTO TABLE t1
+ROWS IDENTIFIED BY '<row>' (a,@b) SET b=concat('!',@b);
+SELECT * FROM t1 ORDER BY a;
+a	b
+1	!b1
+11	!b11
+111	!b111
+112	!b112 & < > " ' &unknown; -- check entities
+2	!b2
+212	!b212
+213	!b213
+214	!b214
+215	!b215
+216	!&bb b;
+3	!b3
+DROP TABLE t1;
--- a/mysql-test/t/loadxml.test
+++ b/mysql-test/t/loadxml.test
@ -108,3 +108,11 @@ load xml infile '../../std_data/loadxml2.dat' into table t1;
 select * from t1;
 drop table t1;

+--echo #
+--echo # Bug#51571 load xml infile causes server crash
+--echo #
+CREATE TABLE t1 (a text, b text);
+LOAD XML INFILE '../../std_data/loadxml.dat' INTO TABLE t1
+ROWS IDENTIFIED BY '<row>' (a,@b) SET b=concat('!',@b);
+SELECT * FROM t1 ORDER BY a;
+DROP TABLE t1;
--- a/sql/item_func.h
+++ b/sql/item_func.h
@ -1498,7 +1498,8 @@ class Item_user_var_as_out_param :public Item
  LEX_STRING name;
  user_var_entry *entry;
 public:
-  Item_user_var_as_out_param(LEX_STRING a) : name(a) {}
+  Item_user_var_as_out_param(LEX_STRING a) : name(a)
+  { set_name(a.str, 0, system_charset_info); }
  /* We should return something different from FIELD_ITEM here */
  enum Type type() const { return STRING_ITEM;}
  double val_real();
--- a/sql/sql_load.cc
+++ b/sql/sql_load.cc
@ -696,7 +696,7 @@ static bool write_execute_load_query_log_event(THD *thd, sql_exchange* ex,
    {
      if (n++)
        pfields.append(", ");
-      if (item->name)
+      if (item->type() == Item::FIELD_ITEM)
      {
        pfields.append("`");
        pfields.append(item->name);