Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0

Problem: crash in Item_float constructor on DBUG_ASSERT due to not null-terminated string parameter. Fix: making Item_float::Item_float non-null-termintated parameter safe: - Using temporary buffer when generating error modified: @ mysql-test/r/xml.result @ mysql-test/t/xml.test @ sql/item.cc
2025-01-18 04:53:01 +01:00 · 2010-11-18 16:11:18 +03:00 · 2010-11-18 16:11:18 +03:00 · d720c49188
commit d720c49188
parent aaa370f5d7
3 changed files with 31 additions and 8 deletions
--- a/mysql-test/r/xml.result
+++ b/mysql-test/r/xml.result
@ -1093,4 +1093,11 @@ Warnings:
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 Warning	1525	Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT'
 DROP TABLE t1;
+#
+# Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
+#
+SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
+ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
+SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
+ERROR 22007: Illegal double '111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' value found during parsing
 End of 5.1 tests
--- a/mysql-test/t/xml.test
+++ b/mysql-test/t/xml.test
@ -617,4 +617,14 @@ FROM t1 ORDER BY t1.id;

 DROP TABLE t1;

+--echo #
+--echo # Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
+--echo #
+
+--error ER_ILLEGAL_VALUE_FOR_TYPE
+SELECT UPDATEXML(NULL, (LPAD(0.1111E-15, '2011', 1)), 1);
+--error ER_ILLEGAL_VALUE_FOR_TYPE
+SELECT EXTRACTVALUE('', LPAD(0.1111E-15, '2011', 1));
+
+
 --echo End of 5.1 tests
--- a/sql/item.cc
+++ b/sql/item.cc
@ -5286,8 +5286,17 @@ static uint nr_of_decimals(const char *str, const char *end)


 /**
-  This function is only called during parsing. We will signal an error if
-  value is not a true double value (overflow)
+  This function is only called during parsing:
+  - when parsing SQL query from sql_yacc.yy
+  - when parsing XPath query from item_xmlfunc.cc
+  We will signal an error if value is not a true double value (overflow):
+  eng: Illegal %s '%-.192s' value found during parsing
+  
+  Note: the string is NOT null terminated when called from item_xmlfunc.cc,
+  so this->name will contain some SQL query tail behind the "length" bytes.
+  This is Ok for now, as this Item is never seen in SHOW,
+  or EXPLAIN, or anywhere else in metadata.
+  Item->name should be fixed to use LEX_STRING eventually.
 */

 Item_float::Item_float(const char *str_arg, uint length)
@ -5298,12 +5307,9 @@ Item_float::Item_float(const char *str_arg, uint length)
                    &error);
  if (error)
  {
-    /*
-      Note that we depend on that str_arg is null terminated, which is true
-      when we are in the parser
-    */
-    DBUG_ASSERT(str_arg[length] == 0);
-    my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", (char*) str_arg);
+    char tmp[NAME_LEN + 1];
+    my_snprintf(tmp, sizeof(tmp), "%.*s", length, str_arg);
+    my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "double", tmp);
  }
  presentation= name=(char*) str_arg;
  decimals=(uint8) nr_of_decimals(str_arg, str_arg+length);