Add chunk boundary test for read_quoted_text() OOB

sirreal · sirreal · commit 23b4581afed9 · 2026-04-24T23:51:54.000+02:00
Add a test that simulates the real-world trigger: a streaming SQL
processor splitting input at a chunk boundary that falls inside a
quoted string, with a backslash as the last byte. This is the exact
scenario from MySQL dump processing where FROM_BASE64() is replaced
with regular escaped string literals.
diff --git a/packages/mysql-on-sqlite/tests/mysql/WP_MySQL_Lexer_Tests.php b/packages/mysql-on-sqlite/tests/mysql/WP_MySQL_Lexer_Tests.php
@@ -325,6 +325,48 @@ public function data_valid_escaped_strings(): array {
 		);
 	}
 
+	/**
+	 * Test that a chunk boundary splitting a quoted string with a trailing
+	 * backslash does not cause an out-of-bounds string access.
+	 *
+	 * This simulates streaming SQL processing where a buffer boundary falls
+	 * inside a string literal right after a backslash escape character.
+	 */
+	public function test_chunk_boundary_inside_escaped_string(): void {
+		set_error_handler(
+			function ( $severity, $message, $file, $line ) {
+				throw new \ErrorException( $message, 0, $severity, $file, $line );
+			},
+			E_WARNING | E_NOTICE
+		);
+
+		try {
+			// Build a SQL string where a backslash falls at the chunk boundary.
+			// The string content before the boundary is padded to place the
+			// backslash at exactly position $chunk_size - 1.
+			$chunk_size = 8192;
+
+			// "SELECT '" = 8 bytes, so we need chunk_size - 8 - 1 bytes of
+			// padding before the trailing backslash to place '\' at the last
+			// byte of the chunk.
+			$padding = str_repeat( 'A', $chunk_size - 8 - 1 );
+			$sql     = "SELECT '" . $padding . "\\";
+
+			// The chunk is exactly $chunk_size bytes. The last byte is '\'.
+			// The lexer should handle this as an unclosed string without OOB.
+			$this->assertSame( $chunk_size, strlen( $sql ) );
+
+			$lexer = new WP_MySQL_Lexer( $sql );
+			while ( $lexer->next_token() ) {
+				// Consume all tokens.
+			}
+		} finally {
+			restore_error_handler();
+		}
+
+		$this->assertNull( $lexer->get_token() );
+	}
+
 	private function get_token_names( array $token_types ): array {
 		return array_map(
 			function ( $token_type ) {
