MySQL Bugs: #2399: .../libmysql/xml.c::my_xml

Bug #2399	.../libmysql/xml.c::my_xml_scan() boundary check
Submitted:	15 Jan 2004 7:56	Modified:	19 Oct 2004 21:56
Reporter:	[ name withheld ]	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server	Severity:	S2 (Serious)
Version:	>= 4.1	OS:	Any (any)
Assigned to:	Kent Boortz	CPU Architecture:	Any

View
Add Comment
Files
Developer
Edit Submission
View Progress Log
Contributions

Description:
in my_xml_scan():

...
if (!memcmp(p->cur,"<!--",4))
...

The above doesn't check if p->cur is very close to the end of the string (p->end) [set from my_xml_parse()] . It over steps beyond the string.

How to repeat:
check src

Suggested fix:
need to check length of bytes from p->cur to p->end before forcing a fixed 4/3 byte memcmp().

Purify also complains that we read outside the buffer in my_xml_scan().
The uploaded patch file should correct the problem.

Check that we have enough buffer left before calling memcmp()

Attachment: xml.c.patch (application/octet-stream, text), 1.26 KiB.