From 3716eaff4e2fd0be15c076e15de690a7b61559a6 Mon Sep 17 00:00:00 2001 From: Rucha Deodhar Date: Mon, 18 Apr 2022 15:31:36 +0530 Subject: [PATCH] MDEV-28326: Server crashes in json_path_parts_compare Analysis: When trying to compare json paths, the array_sizes variable is NULL when beginning. But trying to access address by adding to the NULL pointer while recursive calling json_path_parts_compare() for handling double wildcard, it causes undefined behaviour and the array_sizes variable eventually becomes non-null (has some address). This eventually results in crash. Fix: If array_sizes variable is NULL then pass NULL recursively as well. --- mysql-test/main/func_json.result | 6 ++++++ mysql-test/main/func_json.test | 7 +++++++ strings/json_lib.c | 12 ++++++++---- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result index 0bb5441b393..ffdda37684e 100644 --- a/mysql-test/main/func_json.result +++ b/mysql-test/main/func_json.result @@ -2278,5 +2278,11 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]'); JSON_EXISTS(@json, '$[2][2][1 to 4]') 1 # +# MDEV-28326: Server crashes in json_path_parts_compare +# +SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt; +col1 +bar +# # End of 10.9 Test # diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test index 71f9c192237..91d5002acc8 100644 --- a/mysql-test/main/func_json.test +++ b/mysql-test/main/func_json.test @@ -1526,6 +1526,13 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 2]'); SELECT JSON_EXISTS(@json, '$[2][2][4 to 6]'); SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]'); + +--echo # +--echo # MDEV-28326: Server crashes in json_path_parts_compare +--echo # + +SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt; + --echo # --echo # End of 10.9 Test --echo # diff --git a/strings/json_lib.c b/strings/json_lib.c index 0574c80e84e..2df6593d573 100644 --- a/strings/json_lib.c +++ b/strings/json_lib.c @@ -1943,12 +1943,14 @@ step_fits: /* Double wild handling needs recursions. */ res= json_path_parts_compare(a+1, a_end, b, b_end, vt, - array_sizes + (b - temp_b)); + array_sizes ? array_sizes + (b - temp_b) : + NULL); if (res == 0) return 0; res2= json_path_parts_compare(a, a_end, b, b_end, vt, - array_sizes + (b - temp_b)); + array_sizes ? array_sizes + (b - temp_b) : + NULL); return (res2 >= 0) ? res2 : res; @@ -1961,12 +1963,14 @@ step_fits_autowrap: /* Double wild handling needs recursions. */ res= json_path_parts_compare(a+1, a_end, b+1, b_end, vt, - array_sizes + (b - temp_b)); + array_sizes ? array_sizes + (b - temp_b) : + NULL); if (res == 0) return 0; res2= json_path_parts_compare(a, a_end, b+1, b_end, vt, - array_sizes + (b - temp_b)); + array_sizes ? array_sizes + (b - temp_b) : + NULL); return (res2 >= 0) ? res2 : res;