tuple: add argument length check for update()

Currently tuple_object:update() does not check the length of operation string and just takes the first character after decoding. This patch fixes this problem. Follow-up #3884
tarantool · Jan 13, 2020 · b73fb42 · b73fb42
1 parent d4fcec0
commit b73fb42
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/src/box/xrow_update_field.c b/src/box/xrow_update_field.c
@@ -595,9 +595,11 @@ static const struct xrow_update_op_meta op_delete = {
 };
 
 static inline const struct xrow_update_op_meta *
-xrow_update_op_by(char opcode, int op_num)
+xrow_update_op_by(const char *opcode, uint32_t len, int op_num)
 {
-	switch (opcode) {
+	if (len != 1)
+		goto error;
+	switch (*opcode) {
 	case '=':
 		return &op_set;
 	case '+':
@@ -618,7 +620,7 @@ xrow_update_op_by(char opcode, int op_num)
 	}
 error:
 	diag_set(ClientError, ER_UNKNOWN_UPDATE_OP, op_num,
-		 tt_sprintf("\"%c\"", opcode));
+		 tt_sprintf("\"%.*s\"", len, opcode));
 	return NULL;
 }
 
@@ -659,10 +661,11 @@ xrow_update_op_decode(struct xrow_update_op *op, int op_num, int index_base,
 			 "update operation name must be a string");
 		return -1;
 	}
-	op->opcode = *mp_decode_str(expr, &len);
-	op->meta = xrow_update_op_by(op->opcode, op_num);
+	const char *opcode = mp_decode_str(expr, &len);
+	op->meta = xrow_update_op_by(opcode, len, op_num);
 	if (op->meta == NULL)
 		return -1;
+	op->opcode = *opcode;
 	if (arg_count != op->meta->arg_count) {
 		const char *str = tt_sprintf("wrong number of arguments, "\
 					     "expected %u, got %u",

diff --git a/test/box/update.result b/test/box/update.result
@@ -834,6 +834,18 @@ s:update({0}, {{'+', 0}})
 - error: 'Unknown UPDATE operation #1: wrong number of arguments, expected 3, got
     2'
 ...
+s:update({0}, {{'', 2, 1}})
+---
+- error: 'Unknown UPDATE operation #1: ""'
+...
+s:update({0}, {{'more than 1 character', 2, 1}})
+---
+- error: 'Unknown UPDATE operation #1: "more than 1 character"'
+...
+s:update({0}, {{'same as previous'}})
+---
+- error: 'Unknown UPDATE operation #1: "same as previous"'
+...
 s:update({0}, {{'+', '+', '+'}})
 ---
 - error: 'Field ''+'' UPDATE error: invalid JSON in position 1'

diff --git a/test/box/update.test.lua b/test/box/update.test.lua
@@ -252,6 +252,9 @@ s:update({0}, {'+', 2, 2})
 s:update({0}, {{}})
 s:update({0}, {{'+'}})
 s:update({0}, {{'+', 0}})
+s:update({0}, {{'', 2, 1}})
+s:update({0}, {{'more than 1 character', 2, 1}})
+s:update({0}, {{'same as previous'}})
 s:update({0}, {{'+', '+', '+'}})
 s:update({0}, {{0, 0, 0}})