database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-28326: Server crashes in json_path_parts_compare

Browse Source 
Analysis: When trying to compare json paths, the array_sizes variable is
NULL when beginning. But trying to access address by adding to the NULL
pointer while recursive calling json_path_parts_compare() for handling
double wildcard, it causes undefined behaviour and the array_sizes
variable eventually becomes non-null (has some address).
This eventually results in crash.
Fix: If array_sizes variable is NULL then pass NULL recursively as well.
This commit is contained in:
Rucha Deodhar
2022-04-18 15:31:36 +05:30
parent 375b8f40ce
commit 3716eaff4e
3 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
mysql-test/main/func_json.result
View File

@ -2278,5 +2278,11 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]');
JSON_EXISTS(@json, '$[2][2][1 to 4]')
1
#
# MDEV-28326: Server crashes in json_path_parts_compare
#
SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt;
col1
bar
#
# End of 10.9 Test
#

7
mysql-test/main/func_json.test
View File

@ -1526,6 +1526,13 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 2]');
SELECT JSON_EXISTS(@json, '$[2][2][4 to 6]');
SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]');
--echo #
--echo # MDEV-28326: Server crashes in json_path_parts_compare
--echo #
SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt;
--echo #
--echo # End of 10.9 Test
--echo #

12
strings/json_lib.c
View File

@ -1943,12 +1943,14 @@ step_fits:
/* Double wild handling needs recursions. */
res= json_path_parts_compare(a+1, a_end, b, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
if (res == 0)
return 0;
res2= json_path_parts_compare(a, a_end, b, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
return (res2 >= 0) ? res2 : res;
@ -1961,12 +1963,14 @@ step_fits_autowrap:
/* Double wild handling needs recursions. */
res= json_path_parts_compare(a+1, a_end, b+1, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
if (res == 0)
return 0;
res2= json_path_parts_compare(a, a_end, b+1, b_end, vt,
array_sizes + (b - temp_b));
array_sizes ? array_sizes + (b - temp_b) :
NULL);
return (res2 >= 0) ? res2 : res;