Bug#58175 xml functions read initialized bytes when conversions happen

Problem: nr_of_decimals could read behind the end of the buffer in case of a non-null-terminated string, which caused valgring warnings. Fix: fixing nr_of_decimals not to read behind the "end" pointer. modified: @ mysql-test/r/xml.result @ mysql-test/t/xml.test @ sql/item.cc
2025-01-16 12:02:42 +01:00 · 2010-11-19 18:24:29 +03:00 · 2010-11-19 18:24:29 +03:00 · 76ce2feb5f
commit 76ce2feb5f
parent e436148143
3 changed files with 47 additions and 2 deletions
--- a/mysql-test/r/xml.result
+++ b/mysql-test/r/xml.result
@ -1101,3 +1101,16 @@ ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111
 SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
 ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 End of 5.1 tests
+#
+# Start of 5.5 tests
+#
+#
+# Bug#58175 xml functions read initialized bytes when conversions happen
+#
+SET NAMES latin1;
+SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0);
+UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0)
+NULL
+#
+# End of 5.5 tests
+#
--- a/mysql-test/t/xml.test
+++ b/mysql-test/t/xml.test
@ -628,3 +628,18 @@ SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));


 --echo End of 5.1 tests
+
+
+--echo #
+--echo # Start of 5.5 tests
+--echo #
+
+--echo #
+--echo # Bug#58175 xml functions read initialized bytes when conversions happen
+--echo #
+SET NAMES latin1;
+SELECT UPDATEXML(CONVERT('' USING swe7), TRUNCATE('',1), 0);
+
+--echo #
+--echo # End of 5.5 tests
+--echo #
--- a/sql/item.cc
+++ b/sql/item.cc
@ -5527,10 +5527,27 @@ static uint nr_of_decimals(const char *str, const char *end)
      break;
  }
  decimal_point= str;
-  for (; my_isdigit(system_charset_info, *str) ; str++)
+  for ( ; str < end && my_isdigit(system_charset_info, *str) ; str++)
    ;
-  if (*str == 'e' || *str == 'E')
+  if (str < end && (*str == 'e' || *str == 'E'))
    return NOT_FIXED_DEC;
+  /*
+    QQ:
+    The number of decimal digist in fact should be (str - decimal_point - 1).
+    But it seems the result of nr_of_decimals() is never used!
+
+    In case of 'e' and 'E' nr_of_decimals returns NOT_FIXED_DEC.
+    In case if there is no 'e' or 'E' parser code in sql_yacc.yy
+    never calls Item_float::Item_float() - it creates Item_decimal instead.
+
+    The only piece of code where we call Item_float::Item_float(str, len)
+    without having 'e' or 'E' is item_xmlfunc.cc, but this Item_float
+    never appears in metadata itself. Changing the code to return
+    (str - decimal_point - 1) does not make any changes in the test results.
+
+    This should be addressed somehow.
+    Looks like a reminder from before real DECIMAL times.
+  */
  return (uint) (str - decimal_point);
 }