database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys

Browse Source 
using JSON_OBJECT_FILTER_KEYS function

Analysis:
Insufficient buffer size while copying the data.
Fix:
Change buffer size to accomodate all data.
This commit is contained in:
Rucha Deodhar
2024-04-25 01:32:58 +05:30
parent a21e49cbcc
commit 2455f1a93d
3 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
mysql-test/main/func_json.result
View File

@ -5197,5 +5197,15 @@ JSON_ARRAY_INTERSECT(c1, c2)
[4]
DROP TABLE t1;
#
# MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
#
SET @arr1='[1,2,"c"]';
SET character_set_database=ucs2;
SET CHARACTER SET utf8;
SET @obj1='{ "a": 1,"b": 2,"c": 3}';
SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
JSON_OBJECT_FILTER_KEYS (@obj1,@arr1)
NULL
#
# End of 11.2 Test
#

10
mysql-test/main/func_json.test
View File

@ -4086,6 +4086,16 @@ SELECT JSON_ARRAY_INTERSECT(c1, c2) FROM t1;
DROP TABLE t1;
--echo #
--echo # MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
--echo #
SET @arr1='[1,2,"c"]';
SET character_set_database=ucs2;
SET CHARACTER SET utf8;
SET @obj1='{ "a": 1,"b": 2,"c": 3}';
SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
--echo #
--echo # End of 11.2 Test
--echo #

2
sql/item_jsonfunc.cc
View File

@ -5418,7 +5418,7 @@ static bool filter_keys(json_engine_t *je1, String *str, HASH items)
str.append('"');
str.append('\0');
char *curr_key= (char*)malloc((size_t)(key_end-key_start+3));
char *curr_key= (char*)malloc((size_t)(str.length()+3));
strncpy(curr_key, str.ptr(), str.length());
if (my_hash_search(&items, (const uchar*)curr_key, strlen(curr_key)))