MDEV-28326: Server crashes in json_path_parts_compare

Analysis: When trying to compare json paths, the array_sizes variable is NULL when beginning. But trying to access address by adding to the NULL pointer while recursive calling json_path_parts_compare() for handling double wildcard, it causes undefined behaviour and the array_sizes variable eventually becomes non-null (has some address). This eventually results in crash. Fix: If array_sizes variable is NULL then pass NULL recursively as well.

MDEV-28326: Server crashes in json_path_parts_compare
Analysis: When trying to compare json paths, the array_sizes variable is NULL when beginning. But trying to access address by adding to the NULL pointer while recursive calling json_path_parts_compare() for handling double wildcard, it causes undefined behaviour and the array_sizes variable eventually becomes non-null (has some address). This eventually results in crash. Fix: If array_sizes variable is NULL then pass NULL recursively as well.
3716eaff · Rucha Deodhar · 375b8f40 · 3716eaff · 3716eaff · 3716eaff
Commit 3716eaff authored Apr 18, 2022 by Rucha Deodhar
Showing with 21 additions and 4 deletions

mysql-test/main/func_json.result mysql-test/main/func_json.result +6 -0

mysql-test/main/func_json.test mysql-test/main/func_json.test +7 -0

strings/json_lib.c strings/json_lib.c +8 -4

No files found.
--- a/mysql-test/main/func_json.result
+++ b/mysql-test/main/func_json.result
@@ -2278,5 +2278,11 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]');
 JSON_EXISTS(@json, '$[2][2][1 to 4]')
 1
 #
+# MDEV-28326: Server crashes in json_path_parts_compare
+#
+SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt;
+col1
+bar
+#
 # End of 10.9 Test
 #
--- a/mysql-test/main/func_json.test
+++ b/mysql-test/main/func_json.test
@@ -1526,6 +1526,13 @@ SELECT JSON_EXISTS(@json, '$[2][2][1 to 2]');
 SELECT JSON_EXISTS(@json, '$[2][2][4 to 6]');
 SELECT JSON_EXISTS(@json, '$[2][2][1 to 4]');

+
+--echo #
+--echo # MDEV-28326: Server crashes in json_path_parts_compare
+--echo #
+
+SELECT * FROM JSON_TABLE('{"foo":["bar","qux"]}','$**.*[0]' COLUMNS(col1 CHAR(8) PATH '$[0]')) AS jt;
+
 --echo #
 --echo # End of 10.9 Test
 --echo #
--- a/strings/json_lib.c
+++ b/strings/json_lib.c
@@ -1943,12 +1943,14 @@ int json_path_parts_compare(

    /* Double wild handling needs recursions. */
    res= json_path_parts_compare(a+1, a_end, b, b_end, vt,
-                                 array_sizes + (b - temp_b));
+                                 array_sizes ? array_sizes + (b - temp_b) :
+                                               NULL);
    if (res == 0)
      return 0;

    res2= json_path_parts_compare(a, a_end, b, b_end, vt,
-                                  array_sizes + (b - temp_b));
+                                  array_sizes ? array_sizes + (b - temp_b) :
+                                                NULL);

    return (res2 >= 0) ? res2 : res;

@@ -1961,12 +1963,14 @@ int json_path_parts_compare(

    /* Double wild handling needs recursions. */
    res= json_path_parts_compare(a+1, a_end, b+1, b_end, vt,
-                                 array_sizes + (b - temp_b));
+                                 array_sizes ? array_sizes + (b - temp_b) :
+                                               NULL);
    if (res == 0)
      return 0;

    res2= json_path_parts_compare(a, a_end, b+1, b_end, vt,
-                                  array_sizes + (b - temp_b));
+                                  array_sizes ? array_sizes + (b - temp_b) :
+                                                NULL);

    return (res2 >= 0) ? res2 : res;