| Bug #27898 | UPDATEXML Crashes the Server! | ||
|---|---|---|---|
| Submitted: | 17 Apr 2007 18:56 | Modified: | 2 Jun 2007 14:18 |
| Reporter: | Roland Bouman | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: XML functions | Severity: | S1 (Critical) |
| Version: | 5.1.16,5.1.17,5.1.18bk | OS: | Linux |
| Assigned to: | Alexander Barkov | CPU Architecture: | Any |
| Tags: | crash, DoS, updatexml | ||
[17 Apr 2007 19:09]
Roland Bouman
Hi - a simpler testcase: mysql> select updatexml( '' , '' , '' ); ERROR 1105 (HY000): XPATH syntax error: '' mysql> select updatexml( '' , '/' , '' ); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql>
[18 Apr 2007 12:05]
MySQL Verification Team
stack trace from 5.1.18BK on linux: Stack range sanity check OK, backtrace follows: 0x81f935c handle_segfault + 796 0x81f151a _ZN6String6appendEPKcj + 410 0x81afc71 _ZN20Item_func_xml_update7val_strEP6String + 289 0x812425f _ZN4Item4sendEP8ProtocolP6String + 191 0x81dd920 _ZN11select_send9send_dataER4ListI4ItemE + 288 0x8282349 _ZN4JOIN4execEv + 3289 0x827e7c2 _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_sel + 322 0x8284162 _Z13handle_selectP3THDP6st_lexP13select_resultm + 546 0x820771f _Z21execute_sqlcom_selectP3THDP13st_table_list + 911 0x820e4b9 _Z21mysql_execute_commandP3THD + 23625 0x8212d14 _Z11mysql_parseP3THDPcj + 612 0x8214031 _Z16dispatch_command19enum_server_commandP3THDPcj + 4545 0x8214cf5 _Z10do_commandP3THD + 421 0x82007cf handle_one_connection + 271 0x4004daa7 _end + 931777335 0x4017ec2e _end + 933027006
[2 May 2007 7:45]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/25886
[2 May 2007 8:22]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/25888
[4 May 2007 5:05]
Alexander Barkov
Pushed into 5.1.18-rpl
[10 May 2007 9:50]
MySQL Verification Team
This next testcase gives signal 6 and invalid memory access warnings from glibc.
When testing the bugfix, use many random strings, not only the provided testcase in the bug report :)
select UpdateXML('e Vv YT61Nm.s:7M14KSjFajguh,V :BOVQs1F2EjoEY4:z23Io;r.vTgFyAZLaSCQ2YjVXsqb.6uOG86,:0aSOa Lx aO53OWRt7N5r03 .egz d:sqkCu XhWKu ','Q2YjVXsq b.6uOG86,:0aSOa Lx aO53OWRt7N5r03 .egz d:sqkCu XhWKu H nzu4AgJA5t CT.3uz8wFC0qMVmuMp GUwFOy q ybyf1NGqL1fpb0JvpNSzgTtiMa meRIHajdF2Fen6Qcsi.SiWXAw2T.ozT6JTa Qs6HmfXNUl0GmCmTZ :aQTY6m;iJWW0N ZGzPrzK zZTSinxgLIpv 4p3Qm,G5v U vPZnq uUS VZOZj','4AgJA5t CT.3uz8wFC0qMVmuMp GUwFOy q ybyf1NGqL1fpb0JvpNSzgTtiMa meRIHajdF2Fen6Qcsi.SiWXAw2T.ozT6JTa Qs6HmfXNUl0GmCmTZ ');
Version: '5.1.18-beta-debug' socket: '/tmp/mysql.sock' port: 3306 yes
sbester@www:~/server/5.1/mysql-5.1.18-beta-linux-i686> *** glibc detected *** free(): invalid pointer: 0x4e316679 ***
[21 May 2007 10:20]
Alexander Barkov
Thanks for the additional comment! I posted this problem into a separate bug report: http://bugs.mysql.com/bug.php?id=28558
[1 Jun 2007 19:22]
Bugs System
Pushed into 5.1.20-beta
[2 Jun 2007 14:18]
Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.
If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at
http://dev.mysql.com/doc/en/installing-source.html
Documented bugfix in 5.1.20 changelog.
Description: A particular call to UPDATEXML crashes the server. How to repeat: select updatexml( '<div><div><span>1</span><span>2</span></div></div>' , '/' , '<tr><td>1</td><td>2</td>' ); Suggested fix: uh,..don't crash, expected error message for the 3rd argument