Bug #28558 UpdateXML called with garbage crashes server
Submitted: 21 May 2007 10:19 Modified: 2 Jun 2007 14:29
Reporter: Alexander Barkov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: XML functions Severity:S3 (Non-critical)
Version:5.1 OS:Any
Assigned to: Alexander Barkov CPU Architecture:Any

[21 May 2007 10:19] Alexander Barkov 
Description:
This problem was originally posted as an additional comment
to Bug#27898 "UPDATEXML Crashes the Server!". But this is a
separate issue.

This next testcase gives signal 6 and invalid memory access warnings from
glibc.
When testing the bugfix, use many random strings, not only the provided testcase
in the bug report :)

How to repeat:
select UpdateXML('e   Vv YT61Nm.s:7M14KSjFajguh,V
:BOVQs1F2EjoEY4:z23Io;r.vTgFyAZLaSCQ2YjVXsqb.6uOG86,:0aSOa Lx aO53OWRt7N5r03    
  .egz d:sqkCu    XhWKu   ','Q2YjVXsq     b.6uOG86,:0aSOa Lx aO53OWRt7N5r03    
.egz d:sqkCu    XhWKu   H nzu4AgJA5t CT.3uz8wFC0qMVmuMp GUwFOy q       
ybyf1NGqL1fpb0JvpNSzgTtiMa meRIHajdF2Fen6Qcsi.SiWXAw2T.ozT6JTa       
Qs6HmfXNUl0GmCmTZ :aQTY6m;iJWW0N ZGzPrzK zZTSinxgLIpv 4p3Qm,G5v U vPZnq uUS
VZOZj','4AgJA5t CT.3uz8wFC0qMVmuMp        GUwFOy q       
ybyf1NGqL1fpb0JvpNSzgTtiMa meRIHajdF2Fen6Qcsi.SiWXAw2T.ozT6JTa       
Qs6HmfXNUl0GmCmTZ ');

Version: '5.1.18-beta-debug'  socket: '/tmp/mysql.sock'  port: 3306  yes
sbester@www:~/server/5.1/mysql-5.1.18-beta-linux-i686> *** glibc detected ***
free(): invalid pointer: 0x4e316679 ***
[21 May 2007 12:47] MySQL Verification Team 
the fix can be tested with this testcase which submits random blob arguments to the updatexml function.

Attachment: bug28558.c (text/plain), 6.05 KiB.
[23 May 2007 7:07] Alexander Barkov 
Memory corruption happens in the code generating error message.

An easier query demonstrating the same problem.

select UpdateXML('<a>a</a>',repeat('b b',1000),'');
[23 May 2007 7:40] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27184

ChangeSet@1.2580, 2007-05-23 12:34:47+05:00, bar@mysql.com +3 -0
  Bug#28558 UpdateXML called with garbage crashes server
  Problem: Memory overrun happened in attempts to generate
  error messages (e.g. in case of incorrect XPath syntax).
  Reason: set_if_bigger() was used instead of set_if_smaller().
  Change: replacing wrong set_if_bigger() to set_if_smaller(),
  and making minor additional code clean-ups.
[23 May 2007 8:10] Sergey Vojtovich 
ok to push.
[23 May 2007 8:19] Alexander Barkov 
Pushed into 5.1.18-rpl
[1 Jun 2007 19:24] Bugs System 
Pushed into 5.1.20-beta
[2 Jun 2007 14:29] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.1.20 changelog.