Fix #434 ub/sigsegv when using strtod on non-terminated strings. Test…

… added.

src/gtests_functions.cpp

@@ -1225,3 +1225,15 @@ TEST ( functions, int64_le )
 	ASSERT_EQ ( iTest, iTestLE ) << "little endian allows simplify";
 #endif
 }
+
+TEST ( functions, FindLastNumeric )
+{
+	static const char * sNum1 = "12345";
+	ASSERT_EQ ( sNum1, sphFindLastNumeric (sNum1,5 ));
+
+	static const char * sNum2 = "1234 ";
+	ASSERT_EQ ( sNum2+5, sphFindLastNumeric ( sNum2, 5 ) );
+
+	static const char * sNum3 = "12 34";
+	ASSERT_EQ ( sNum3 + 3, sphFindLastNumeric ( sNum3, 5 ) );
+}

src/sphinxexpr.cpp

@@ -4387,6 +4387,8 @@ class Expr_ContainsExprvec_c : public Expr_Contains_c
 };
 
 
+
+
 class Expr_ContainsStrattr_c : public Expr_Contains_c
 {
 protected:
@@ -4404,14 +4406,20 @@ class Expr_ContainsStrattr_c : public Expr_Contains_c
 
 	static void ParsePoly ( const char * p, int iLen, CSphVector<float> & dPoly )
 	{
-		const char * pMax = p+iLen;
+		const char * pBegin = p;
+		const char * pMax = sphFindLastNumeric ( p, iLen );
 		while ( p<pMax )
 		{
 			if ( isdigit(p[0]) || ( p+1<pMax && p[0]=='-' && isdigit(p[1]) ) )
 				dPoly.Add ( (float)strtod ( p, (char**)&p ) );
 			else
 				p++;
 		}
+
+		// edge case - last numeric touches the end
+		iLen -= pMax - pBegin;
+		if ( iLen )
+			dPoly.Add ( (float)strtod ( CSphString(pMax, iLen).cstr (), nullptr ) );
 	}
 
 	int IntEval ( const CSphMatch & tMatch ) const final

src/sphinxutils.h

@@ -30,6 +30,21 @@ inline int sphIsAlpha ( int c )
 	return ( c>='0' && c<='9' ) || ( c>='a' && c<='z' ) || ( c>='A' && c<='Z' ) || c=='-' || c=='_';
 }
 
+/// symbols allowed in numbers (like 1.84E-20)
+inline bool sphIsDigital ( char c )
+{
+	return ( c>='0' && c<='9' ) || c=='.' || c=='E' || c=='e' || c=='+' || c=='-';
+}
+
+/// pointer to the last number in the buf, touching it's end
+inline const char * sphFindLastNumeric ( const char * pBuf, int iLen )
+{
+	for ( auto pLast = pBuf + iLen - 1; pLast>=pBuf; --pLast )
+		if ( !sphIsDigital ( *pLast ) )
+			return pLast + 1;
+
+	return pBuf;
+}
 
 /// my own isspace
 inline bool sphIsSpace ( int iCode )

test/test_362/model.bin

@@ -0,0 +1 @@
+a:1:{i:0;a:1:{i:0;a:3:{s:8:"sphinxql";s:55:"SELECT id, CONTAINS(POLY2D(poly2d_attr),2,40) FROM test";s:10:"total_rows";i:2;s:4:"rows";a:2:{i:0;a:2:{s:2:"id";s:1:"1";s:34:"contains(poly2d(poly2d_attr),2,40)";s:1:"0";}i:1;a:2:{s:2:"id";s:1:"2";s:34:"contains(poly2d(poly2d_attr),2,40)";s:1:"0";}}}}}

test/test_362/test.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="utf-8"?>
+<test>
+<name>asciiz edge effect on string attributes</name>
+
+<requires>
+<force-rt/>
+</requires>
+
+<config>
+indexer
+{
+	mem_limit = 16M
+}
+
+searchd
+{
+	<searchd_settings/>
+}
+
+source test
+{
+	type = mysql
+	<sql_settings/>
+	sql_query = SELECT * FROM test_table
+	sql_attr_string = kk
+	sql_attr_string = poly2d_attr
+}
+
+index test
+{
+	source	= test
+	path	= <data_path/>/test
+}
+
+</config>
+
+<db_create>
+CREATE TABLE test_table
+(
+	id INT NOT NULL,
+	title VARCHAR(255) NOT NULL,
+	kk VARCHAR(255) NOT NULL,
+	poly2d_attr VARCHAR(255) NOT NULL
+);
+</db_create>
+
+<db_drop>DROP TABLE IF EXISTS test_table;</db_drop>
+
+<!-- Key point of the test:
+   Since string attrs in blob are packed and NOT z-terminated,
+   right after last byte of poly2d_attr of doc 1 will follow
+   packed attr kk of doc2. Packing first write len of attr (50) and then
+   the blob of string itself.
+   Finally it lead to the fact that in the saved blob (at least of RAM-chunk in rt)
+   will be raw byte sequence '1,2,3,4,4,6210 tenten ...'.
+   Original version of POLY2D will catch it, and so, reveal that point (2,40) are
+   in polygon (triangle) (1,2) (3,4) (4,6), because last point is parsed
+   was (4,6210).
+   -->
+
+<db_insert>
+INSERT INTO test_table ( id, title, kk, poly2d_attr ) VALUES
+( 1, 'ohai', 'eleventy', '1,2,3,4,4,6' ),
+( 2, 'ohai2', '10 tenten tententen tententen tententen tententen ', '1,2,3,4,4,6' )
+</db_insert>
+
+<sphqueries>
+<sphinxql>SELECT id, CONTAINS(POLY2D(poly2d_attr),2,40) FROM test</sphinxql>
+</sphqueries>
+
+</test>