Bug #58175 xml functions read initialized bytes when conversions happen
Submitted: 13 Nov 2010 12:55 Modified: 13 Dec 2010 5:43
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: XML functions Severity:S2 (Serious)
Version:5.5.7, 5.5.8-debug OS:Any
Assigned to: Alexander Barkov CPU Architecture:Any
Tags: regression, updatexml, valgrind

[13 Nov 2010 12:55] Shane Bester 
Description:
Version: '5.5.8-rc-valgrind-max-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
Thread 17:

Use of uninitialised value of size 8
at : nr_of_decimals (item.cc:5534)
by : Item_float::Item_float (item.cc:5563)
by : my_xpath_parse_Number (item_xmlfunc.cc:2371)
by : my_xpath_parse_PrimaryExpr (item_xmlfunc.cc:1871)
by : my_xpath_parse_FilterExpr (item_xmlfunc.cc:2018)
by : my_xpath_parse_FilterExpr_opt_slashes_RelativeLocationPath (item_xmlfunc.cc:1976)
by : my_xpath_parse_PathExpr (item_xmlfunc.cc:1995)
by : my_xpath_parse_UnionExpr (item_xmlfunc.cc:1939)
by : my_xpath_parse_UnaryExpr (item_xmlfunc.cc:2325)
by : my_xpath_parse_MultiplicativeExpr (item_xmlfunc.cc:2282)
by : my_xpath_parse_AdditiveExpr (item_xmlfunc.cc:2234)
by : my_xpath_parse_RelationalExpr (item_xmlfunc.cc:2192)
by : my_xpath_parse_EqualityExpr (item_xmlfunc.cc:2131)
by : my_xpath_parse_AndExpr (item_xmlfunc.cc:2066)
by : my_xpath_parse_OrExpr (item_xmlfunc.cc:2035)
by : my_xpath_parse (item_xmlfunc.cc:2568)
by : Item_xml_str_func::fix_length_and_dec (item_xmlfunc.cc:2607)
by : Item_func::fix_fields (item_func.cc:219)
by : Item_str_func::fix_fields (item_strfunc.cc:117)
by : setup_fields (sql_base.cc:7727)
by : JOIN::prepare (sql_select.cc:542)
by : mysql_select (sql_select.cc:2547)
by : handle_select (sql_select.cc:296)
by : execute_sqlcom_select (sql_parse.cc:4469)
by : mysql_execute_command (sql_parse.cc:2065)
by : mysql_parse (sql_parse.cc:5512)
by : dispatch_command (sql_parse.cc:1029)
by : do_command (sql_parse.cc:769)
by : do_handle_one_connection (sql_connect.cc:745)
by : handle_one_connection (sql_connect.cc:684)
by : start_thread (pthread_create.c:301)
 Uninitialised value was created by a heap allocation
at : malloc (vg_replace_malloc.c:195)
by : my_malloc (my_malloc.c:38)
by : String::real_alloc (sql_string.cc:44)
by : String::alloc (sql_string.h:221)
by : String::copy (sql_string.cc:287)
by : Item_func_conv_charset::Item_func_conv_charset (item_strfunc.h:758)
by : Item::safe_charset_converter (item.cc:826)
by : agg_item_set_converter (item.cc:1815)
by : agg_item_charsets (item.cc:1904)
by : agg_item_charsets_for_comparison (item.h:1571)
by : Item_func::agg_arg_charsets_for_comparison (item_func.h:180)
by : Item_xml_str_func::fix_length_and_dec (item_xmlfunc.cc:2580)
by : Item_func::fix_fields (item_func.cc:219)
by : Item_str_func::fix_fields (item_strfunc.cc:117)
by : setup_fields (sql_base.cc:7727)
by : JOIN::prepare (sql_select.cc:542)
by : mysql_select (sql_select.cc:2547)
by : handle_select (sql_select.cc:296)
by : execute_sqlcom_select (sql_parse.cc:4469)
by : mysql_execute_command (sql_parse.cc:2065)
by : mysql_parse (sql_parse.cc:5512)
by : dispatch_command (sql_parse.cc:1029)
by : do_command (sql_parse.cc:769)
by : do_handle_one_connection (sql_connect.cc:745)
by : handle_one_connection (sql_connect.cc:684)
by : start_thread (pthread_create.c:301)

5.1.52 was not affected.

How to repeat:
run mysqld in valgrind

set names latin1;
select updatexml(convert('' using swe7),truncate('',1),0);
[13 Nov 2010 21:45] Valeriy Kravchuk 
Verified on 32-bit Ubuntu 10.04:

==25085== 1 errors in context 3 of 5:
==25085== Use of uninitialised value of size 4
==25085==    at 0x835C971: nr_of_decimals(char const*, char const*) (item.cc:5535)
==25085==    by 0x835CB75: Item_float::Item_float(char const*, unsigned int) (item.cc:5564)
==25085==    by 0x846AFEA: my_xpath_parse_Number(my_xpath_st*) (item_xmlfunc.cc:2371)
==25085==    by 0x846A2A8: my_xpath_parse_PrimaryExpr(my_xpath_st*) (item_xmlfunc.cc:1871)
==25085==    by 0x846A623: my_xpath_parse_FilterExpr(my_xpath_st*) (item_xmlfunc.cc:2018)
==25085==    by 0x846A53C: my_xpath_parse_FilterExpr_opt_slashes_RelativeLocationPath(my_xpath_st*) (item_xmlfunc.cc:1976)
==25085==    by 0x846A5FD: my_xpath_parse_PathExpr(my_xpath_st*) (item_xmlfunc.cc:1995)
==25085==    by 0x846A426: my_xpath_parse_UnionExpr(my_xpath_st*) (item_xmlfunc.cc:1939)
==25085==    by 0x846AE94: my_xpath_parse_UnaryExpr(my_xpath_st*) (item_xmlfunc.cc:2325)
==25085==    by 0x846AD1D: my_xpath_parse_MultiplicativeExpr(my_xpath_st*) (item_xmlfunc.cc:2282)
==25085==    by 0x846ABB9: my_xpath_parse_AdditiveExpr(my_xpath_st*) (item_xmlfunc.cc:2234)
==25085==    by 0x846AA84: my_xpath_parse_RelationalExpr(my_xpath_st*) (item_xmlfunc.cc:2192)
==25085== 
...
[18 Nov 2010 19:20] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/124284

3135 Alexander Barkov	2010-11-18
      Bug#58175 xml functions read initialized bytes when conversions happen
      
      Problem:
      
      nr_of_decimals could read behind the end of the buffer
      in case of a non-null-terminated string, which caused
      valgring warnings.
      
      Fix:
      
      fixing nr_of_decimals not to read behind the "end" pointer.
[19 Nov 2010 15:40] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/124484

3137 Alexander Barkov	2010-11-19
      Bug#58175 xml functions read initialized bytes when conversions happen
      
      Problem:
      
       nr_of_decimals could read behind the end of the buffer
       in case of a non-null-terminated string, which caused
       valgring warnings.
      
      Fix:
      
        fixing nr_of_decimals not to read behind the "end" pointer.
      
      modified:
      
        @ mysql-test/r/xml.result
        @ mysql-test/t/xml.test
        @ sql/item.cc
[19 Nov 2010 19:30] Alexander Barkov 
Pushed into mysql-5.5-bugteam [5.5.8]
Pushed into mysql-trunk-bugteam [5.6.1-m5]
[24 Nov 2010 13:07] Jon Stephens 
Effects not visible to end users, so nothing to document. Closed.
[5 Dec 2010 12:40] Bugs System 
Pushed into mysql-trunk 5.6.1 (revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (version source revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (merge vers: 5.6.1) (pib:23)
[13 Dec 2010 5:43] Jon Stephens 
returning to Closed state; see my previous comment.
[16 Dec 2010 22:30] Bugs System 
Pushed into mysql-5.5 5.5.9 (revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (version source revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (merge vers: 5.5.9) (pib:24)