database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-07 00:04:31 +03:00
Code Activity

MDEV-28326: Server crashes in json_path_parts_compare

Browse Source 
Analysis: When trying to compare json paths, the array_sizes variable is
NULL when beginning. But trying to access address by adding to the NULL
pointer while recursive calling json_path_parts_compare() for handling
double wildcard, it causes undefined behaviour and the array_sizes
variable eventually becomes non-null (has some address).
This eventually results in crash.
Fix: If array_sizes variable is NULL then pass NULL recursively as well.
This commit is contained in:
Rucha Deodhar
2022-04-18 15:31:36 +05:30
parent 375b8f40ce
commit 3716eaff4e
3 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
strings/json_lib.c
View File

@@ -1943,12 +1943,14 @@ step_fits:
/* Double wild handling needs recursions. */
res= json_path_parts_compare(a+1, a_end, b, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
if (res == 0)
return 0;
res2= json_path_parts_compare(a, a_end, b, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
return (res2 >= 0) ? res2 : res;
@@ -1961,12 +1963,14 @@ step_fits_autowrap:
/* Double wild handling needs recursions. */
res= json_path_parts_compare(a+1, a_end, b+1, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
if (res == 0)
return 0;
res2= json_path_parts_compare(a, a_end, b+1, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
return (res2 >= 0) ? res2 : res;