MySQL Bugs: #58544: Access violation when using updatexml, convert

Bug #58544	Access violation when using updatexml, convert
Submitted:	29 Nov 2010 2:08	Modified:	1 Dec 2010 17:36
Reporter:	Roel Van de Paar	Email Updates:
Status:	Duplicate	Impact on me:	None
Category:	MySQL Server: Charsets	Severity:	S1 (Critical)
Version:	5.1.39,5.1.53	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	application verifier

Description:
(160c.1004): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
>  135:   else if (!memcmp(p->cur, "<![CDATA[",9))
mysqld!my_xml_scan+0x165:
00000001`40342825 4c8b09          mov     r9,qword ptr [rcx] ds:00000000`08b69ff9=????????????????
0:013> kM
 # Child-SP          RetAddr           Call Site
00 00000000`35b0ce70 00000001`40342d94 mysqld!my_xml_scan+0x165
01 00000000`35b0cea0 00000001`401d6fe2 mysqld!my_xml_parse+0x104
02 00000000`35b0cf10 00000001`401d71c4 mysqld!Item_xml_str_func::parse_xml+0xd2
03 00000000`35b0d560 00000001`400f89b1 mysqld!Item_func_xml_update::val_str+0x74
04 00000000`35b0d5a0 00000001`4005d21f mysqld!Item::send+0x1d1
05 00000000`35b0d600 00000001`401751b2 mysqld!select_send::send_data+0xbf
06 00000000`35b0d970 00000001`401764d4 mysqld!JOIN::exec+0x212
07 00000000`35b0d9f0 00000001`401768d6 mysqld!mysql_select+0x2b4
08 00000000`35b0da80 00000001`40069f30 mysqld!handle_select+0x116
09 00000000`35b0db20 00000001`4006cefc mysqld!execute_sqlcom_select+0x260
0a 00000000`35b0dfa0 00000001`40071910 mysqld!mysql_execute_command+0x46c
0b 00000000`35b0f390 00000001`400725e8 mysqld!mysql_parse+0x1b0
0c 00000000`35b0f4c0 00000001`40073077 mysqld!dispatch_command+0x798
0d 00000000`35b0fe20 00000001`4009a147 mysqld!do_command+0xf7
0e 00000000`35b0fe60 00000001`4031faa5 mysqld!handle_one_connection+0x127
0f 00000000`35b0fe90 00000001`402ea477 mysqld!pthread_start+0x55
10 00000000`35b0fec0 00000001`402ea545 mysqld!_callthreadstart+0x17
11 00000000`35b0fef0 000007fe`f32f93c7 mysqld!_threadstart+0x95
12 00000000`35b0ff20 00000000`76ddf56d vfbasics!AVrfpStandardThreadFunction+0x2b
13 00000000`35b0ff60 00000000`77013021 kernel32!BaseThreadInitThunk+0xd
14 00000000`35b0ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Code:

----------
  if ((p->end - p->cur > 3) && !memcmp(p->cur,"<!--",4))
  {
    for (; (p->cur < p->end) && memcmp(p->cur, "-->", 3); p->cur++)
    {}
    if (!memcmp(p->cur, "-->", 3))
      p->cur+=3;
    a->end=p->cur;
    lex=MY_XML_COMMENT;
  }
  else if (!memcmp(p->cur, "<![CDATA[",9))     <-------- xml.c @ 135
  {
    p->cur+= 9;
    for (; p->cur < p->end - 2 ; p->cur++)
    {
      if (p->cur[0] == ']' && p->cur[1] == ']' && p->cur[2] == '>')
      {
        p->cur+= 3;
        a->end= p->cur;
        break;
      }
    }
    lex= MY_XML_CDATA;
  }
----------

How to repeat:
Run MySQL 5.1.53 x64 under application verifier / WinDBG

(See instructions for application verifier in bug #58376 "How to repeat" section.)

SELECT updatexml((convert(("<aaa><bbb a='a'  b='b' >< ccc aa='a' >bb</ccc></bbb></aaa>") using latin1)),(1),(1));

Suggested fix:
For Devs: have a full coredump available if needed.

Duplicate of bug#44332