From 2455f1a93dfb4f6fe771a6fcb5d13b55217b8a81 Mon Sep 17 00:00:00 2001
From: Rucha Deodhar <rucha.deodhar@mariadb.com>
Date: Thu, 25 Apr 2024 01:32:58 +0530
Subject: [PATCH] MDEV-31543: ASAN heap-buffer-overflow in strncpy when
 fetching keys using JSON_OBJECT_FILTER_KEYS function

Analysis:
Insufficient buffer size while copying the data.
Fix:
Change buffer size to accomodate all data.
---
 mysql-test/main/func_json.result | 10 ++++++++++
 mysql-test/main/func_json.test   | 10 ++++++++++
 sql/item_jsonfunc.cc             |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
index a403b6b3ae2..78906c19713 100644
--- a/mysql-test/main/func_json.result
+++ b/mysql-test/main/func_json.result
@@ -5197,5 +5197,15 @@ JSON_ARRAY_INTERSECT(c1, c2)
 [4]
 DROP TABLE t1;
 #
+# MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
+#
+SET @arr1='[1,2,"c"]';
+SET character_set_database=ucs2;
+SET CHARACTER SET utf8;
+SET @obj1='{ "a": 1,"b": 2,"c": 3}';
+SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
+JSON_OBJECT_FILTER_KEYS (@obj1,@arr1)
+NULL
+#
 # End of 11.2 Test
 #
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
index a9688f2bee8..dd26112b70d 100644
--- a/mysql-test/main/func_json.test
+++ b/mysql-test/main/func_json.test
@@ -4086,6 +4086,16 @@ SELECT JSON_ARRAY_INTERSECT(c1, c2) FROM t1;
 DROP TABLE t1;
 
 
+--echo #
+--echo # MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
+--echo #
+
+SET @arr1='[1,2,"c"]';
+SET character_set_database=ucs2;
+SET CHARACTER SET utf8;
+SET @obj1='{ "a": 1,"b": 2,"c": 3}';
+SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
+
 --echo #
 --echo # End of 11.2 Test
 --echo #
diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
index 88f971694e4..61b81eb65f7 100644
--- a/sql/item_jsonfunc.cc
+++ b/sql/item_jsonfunc.cc
@@ -5418,7 +5418,7 @@ static bool filter_keys(json_engine_t *je1, String *str, HASH items)
         str.append('"');
         str.append('\0');
 
-        char *curr_key= (char*)malloc((size_t)(key_end-key_start+3));
+        char *curr_key= (char*)malloc((size_t)(str.length()+3));
         strncpy(curr_key, str.ptr(), str.length());
 
         if (my_hash_search(&items, (const uchar*)curr_key, strlen(curr_key)))