From f0f3b6549a5924a194e8ce56a0c47443acbb506e Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Mon, 25 Dec 2017 08:10:48 +0400
Subject: [PATCH] MDEV-13970 crash in Item_func_json_extract::read_json.

        Item_func_json_extract::val_int fixed.
        It wasn't tested yet as it's called in exotic cases only.
---
 mysql-test/r/func_json.result | 5 +++++
 mysql-test/t/func_json.test   | 9 +++++++++
 sql/item_jsonfunc.cc          | 6 +++---
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/mysql-test/r/func_json.result b/mysql-test/r/func_json.result
index 55e64ea38e3..b60f6e970e1 100644
--- a/mysql-test/r/func_json.result
+++ b/mysql-test/r/func_json.result
@@ -731,3 +731,8 @@ Warning	4042	Syntax error in JSON path in argument 3 to function 'json_contains_
 select JSON_VALID(0x36f0c8dccd83c5eac156da);
 JSON_VALID(0x36f0c8dccd83c5eac156da)
 0
+create table t1(a double not null);
+insert into t1 values (2),(1);
+select 1 from t1 where json_extract(a,'$','$[81]');
+1
+drop table t1;
diff --git a/mysql-test/t/func_json.test b/mysql-test/t/func_json.test
index c6c7c8d3976..0b3cb938098 100644
--- a/mysql-test/t/func_json.test
+++ b/mysql-test/t/func_json.test
@@ -383,3 +383,12 @@ select json_contains_path('{"foo":"bar"}', 'one', '$[]');
 # MDEV-13971 crash in skip_num_constant.
 #
 select JSON_VALID(0x36f0c8dccd83c5eac156da);
+
+#
+# MDEV-13970 crash in Item_func_json_extract::read_json.
+#
+create table t1(a double not null);
+insert into t1 values (2),(1);
+select 1 from t1 where json_extract(a,'$','$[81]');
+drop table t1;
+
diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
index ff062b81a2e..794831ae1a5 100644
--- a/sql/item_jsonfunc.cc
+++ b/sql/item_jsonfunc.cc
@@ -781,10 +781,10 @@ String *Item_func_json_extract::read_json(String *str,
   {
     str->set_charset(js->charset());
     str->length(0);
-  }
 
-  if (possible_multiple_values && str->append("[", 1))
-    goto error;
+    if (possible_multiple_values && str->append("[", 1))
+      goto error;
+  }
 
   json_get_path_start(&je, js->charset(),(const uchar *) js->ptr(),
                       (const uchar *) js->ptr() + js->length(), &p);