From 9cc179cc7e88908cfe560773aa8e8a36ff46da0c Mon Sep 17 00:00:00 2001
From: Rucha Deodhar <rucha.deodhar@mariadb.com>
Date: Mon, 25 Sep 2023 20:20:47 +0530
Subject: [PATCH 1/5] MDEV-32007: JSON_VALUE and JSON_EXTRACT doesn't handle
 dash (-) as first character in key

Analysis:
While parsing the path, if '-' is encountered as a part of the key,
the state of the parser changes to error. Hence NULL is returned eventually.

Fix:
If '-' encountered as part of the key, change the state appropriately to
continue scanning the key.
---
 mysql-test/main/func_json.result | 21 +++++++++++++++++++++
 mysql-test/main/func_json.test   | 23 +++++++++++++++++++++++
 strings/json_lib.c               |  2 +-
 3 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
index e482acada77..2ca74c41736 100644
--- a/mysql-test/main/func_json.result
+++ b/mysql-test/main/func_json.result
@@ -2608,3 +2608,24 @@ SET @@collation_connection= @save_collation_connection;
 #
 # End of 10.9 Test
 #
+#
+# MDEV-32007: JSON_VALUE and JSON_EXTRACT doesn't handle dash (-)
+#             as first character in key
+#
+CREATE TEMPORARY TABLE IF NOT EXISTS jsonTest AS
+SELECT '{ "-1234" : "something",
+                 "12-34" : "else",
+                 "1234-" : "and",
+                 "1234" : "match" }' AS 'message';
+SELECT JSON_SEARCH(message, 'one', 'something') AS t1_path,
+JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'something'))) AS t1_result,
+JSON_SEARCH(message, 'one', 'else') AS t2_path,
+JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'else'))) AS t2_result,
+JSON_SEARCH(message, 'one', 'and') AS t3_path,
+JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'and'))) AS t3_result,
+JSON_SEARCH(message, 'one', 'match') AS t4_path,
+JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'match'))) AS t4_result
+FROM jsonTest;
+t1_path	t1_result	t2_path	t2_result	t3_path	t3_result	t4_path	t4_result
+"$.-1234"	something	"$.12-34"	else	"$.1234-"	and	"$.1234"	match
+# End of 11.0 test
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
index d940bec74d9..d9ebd7e18be 100644
--- a/mysql-test/main/func_json.test
+++ b/mysql-test/main/func_json.test
@@ -1809,3 +1809,26 @@ SET @@collation_connection= @save_collation_connection;
 --echo #
 --echo # End of 10.9 Test
 --echo #
+
+--echo #
+--echo # MDEV-32007: JSON_VALUE and JSON_EXTRACT doesn't handle dash (-)
+--echo #             as first character in key
+--echo #
+
+CREATE TEMPORARY TABLE IF NOT EXISTS jsonTest AS
+       SELECT '{ "-1234" : "something",
+                 "12-34" : "else",
+                 "1234-" : "and",
+                 "1234" : "match" }' AS 'message';
+ 
+SELECT JSON_SEARCH(message, 'one', 'something') AS t1_path,
+       JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'something'))) AS t1_result,
+       JSON_SEARCH(message, 'one', 'else') AS t2_path,
+       JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'else'))) AS t2_result,
+       JSON_SEARCH(message, 'one', 'and') AS t3_path,
+       JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'and'))) AS t3_result,
+       JSON_SEARCH(message, 'one', 'match') AS t4_path,
+       JSON_VALUE(message, JSON_UNQUOTE(JSON_SEARCH(message, 'one', 'match'))) AS t4_result
+FROM jsonTest;
+
+--echo # End of 11.0 test
diff --git a/strings/json_lib.c b/strings/json_lib.c
index 52c173f3604..47e0843d627 100644
--- a/strings/json_lib.c
+++ b/strings/json_lib.c
@@ -1093,7 +1093,7 @@ static int json_path_transitions[N_PATH_STATES][N_PATH_CLASSES]=
 /* AS */  { JE_EOS, JE_SYN, JE_SYN, JE_SYN, PS_T, PS_PT, JE_SYN, PS_NEG,
             PS_Z, PS_INT, PS_LAST, PS_AS, JE_SYN, JE_SYN, JE_SYN,
             JE_NOT_JSON_CHR, JE_BAD_CHR},
-/* KEY */ { JE_EOS, PS_KNM, PS_KWD, JE_SYN, PS_KNM, PS_KNM, JE_SYN, JE_SYN,
+/* KEY */ { JE_EOS, PS_KNM, PS_KWD, JE_SYN, PS_KNM, PS_KNM, JE_SYN, PS_KNM,
             PS_KNM, PS_KNM, PS_KNM, PS_KNM, PS_KNM, JE_SYN, PS_KEYX, PS_KNM,
             JE_NOT_JSON_CHR, JE_BAD_CHR},
 /* KNM */ { PS_KOK, PS_KNM, PS_AST, PS_EAR, PS_KNM, PS_KNM, PS_EKY, PS_KNM,

From 1f7ab85644675718518fa64084fb11eb3327d5b9 Mon Sep 17 00:00:00 2001
From: Dave Gosselin <dave.gosselin@mariadb.com>
Date: Tue, 31 Oct 2023 14:17:24 -0400
Subject: [PATCH 2/5] MDEV-31116 SIGSEGV in
 test_if_skip_sort_order|JOIN::optimize_stage2

test_if_skip_sort_order() should check that the 'select' pointer
(=tab->select) is not NULL before dereferencing it when invoking
the test_quick_select method.

The check was erroneously removed by:
1c88ac60cf5 Simple cleanup of removing QQ comments from sql_select.cc
---
 mysql-test/main/order_by_innodb.result | 10 ++++++++++
 mysql-test/main/order_by_innodb.test   |  9 +++++++++
 sql/sql_select.cc                      |  2 +-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/order_by_innodb.result b/mysql-test/main/order_by_innodb.result
index ad4acad3319..79938715539 100644
--- a/mysql-test/main/order_by_innodb.result
+++ b/mysql-test/main/order_by_innodb.result
@@ -296,3 +296,13 @@ a	b	c
 6	2	26
 6	3	36
 drop table t1;
+#
+#  MDEV-31116: SIGSEGV in test_if_skip_sort_order|JOIN::optimize_stage2
+#
+CREATE TABLE t1 (a BINARY (2),b BINARY (1),KEY(a)) ENGINE=innodb;
+INSERT INTO t1 select 'ab', NULL from seq_1_to_14;
+SELECT * FROM t1 WHERE a IN (SELECT a FROM t1 WHERE a >'') ORDER BY a LIMIT 1;
+a	b
+ab	NULL
+DROP TABLE t1;
+# End of 11.0 tests
diff --git a/mysql-test/main/order_by_innodb.test b/mysql-test/main/order_by_innodb.test
index acce96c7603..9ad9cc20337 100644
--- a/mysql-test/main/order_by_innodb.test
+++ b/mysql-test/main/order_by_innodb.test
@@ -250,3 +250,12 @@ explain select * from t1 force index(r) order by a,b limit 20;
 explain select * from t1 force index(r) order by a desc,b limit 20;
         select * from t1 force index(r) order by a desc,b limit 20;
 drop table t1;
+
+--echo #
+--echo #  MDEV-31116: SIGSEGV in test_if_skip_sort_order|JOIN::optimize_stage2
+--echo #
+CREATE TABLE t1 (a BINARY (2),b BINARY (1),KEY(a)) ENGINE=innodb;
+INSERT INTO t1 select 'ab', NULL from seq_1_to_14;
+SELECT * FROM t1 WHERE a IN (SELECT a FROM t1 WHERE a >'') ORDER BY a LIMIT 1;
+DROP TABLE t1;
+--echo # End of 11.0 tests
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 94ae6491f77..ec87acea678 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -26478,7 +26478,7 @@ test_if_skip_sort_order(JOIN_TAB *tab,ORDER *order,ha_rows select_limit,
          !table->is_clustering_key(best_key)))
       goto use_filesort;
 
-    if (table->opt_range_keys.is_set(best_key) && best_key != ref_key)
+    if (select && table->opt_range_keys.is_set(best_key) && best_key != ref_key)
     {
       key_map tmp_map;
       tmp_map.clear_all();       // Force the creation of quick select

From 7f2fae7b212ec6ed13ec30ec80208f6c770a16dd Mon Sep 17 00:00:00 2001
From: Daniel Bartholomew <db@dbart.us>
Date: Mon, 13 Nov 2023 14:40:46 -0500
Subject: [PATCH 3/5] bump the VERSION

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 18b3c9acff0..45539fc57d9 100644
--- a/VERSION
+++ b/VERSION
@@ -1,4 +1,4 @@
 MYSQL_VERSION_MAJOR=11
 MYSQL_VERSION_MINOR=0
-MYSQL_VERSION_PATCH=4
+MYSQL_VERSION_PATCH=5
 SERVER_MATURITY=stable

From 6cf776b68d2671bd78c012b8dd9f55623144652e Mon Sep 17 00:00:00 2001
From: Ian Gilfillan <github@greenman.co.za>
Date: Mon, 13 Nov 2023 19:34:26 +0200
Subject: [PATCH 4/5] Update earliest verson in PR template

---
 .github/pull_request_template.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index c97f9827e59..b519bfd8f3c 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -32,7 +32,7 @@ Without automated tests, future regressions in the expected behavior can't be au
 If the changes are not amenable to automated testing, please explain why not and carefully describe how to test manually.
 
 <!--
-Tick one of the following boxes [x] to help us understand if the base branch for the PR is correct. (Currently the earliest maintained branch is 10.3)
+Tick one of the following boxes [x] to help us understand if the base branch for the PR is correct. (Currently the earliest maintained branch is 10.4)
 -->
 ## Basing the PR against the correct MariaDB version
 - [ ] *This is a new feature and the PR is based against the latest MariaDB development branch.*

From 09fba0e89f1b7c15bbf0336134366d35d340c919 Mon Sep 17 00:00:00 2001
From: Daniel Bartholomew <db@dbart.us>
Date: Mon, 13 Nov 2023 14:40:46 -0500
Subject: [PATCH 5/5] bump the VERSION

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 18b3c9acff0..45539fc57d9 100644
--- a/VERSION
+++ b/VERSION
@@ -1,4 +1,4 @@
 MYSQL_VERSION_MAJOR=11
 MYSQL_VERSION_MINOR=0
-MYSQL_VERSION_PATCH=4
+MYSQL_VERSION_PATCH=5
 SERVER_MATURITY=stable