MDEV-11463 Server crashes in mark_array upon JSON_VALID.

The depth of nested arrays should be controlled, as it's limited.

MDEV-11463 Server crashes in mark_array upon JSON_VALID.
The depth of nested arrays should be controlled, as it's limited.
7fca1330 · Alexey Botchkov · edc75c9c · 7fca1330 · 7fca1330 · 7fca1330
Commit 7fca1330 authored Dec 03, 2016 by Alexey Botchkov
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 9 deletions

mysql-test/r/func_json.result mysql-test/r/func_json.result +3 -0

mysql-test/t/func_json.test mysql-test/t/func_json.test +1 -0

strings/json_lib.c strings/json_lib.c +29 -9

No files found.
--- a/mysql-test/r/func_json.result
+++ b/mysql-test/r/func_json.result
@@ -10,6 +10,9 @@ json_valid('{"key1":1, "key2":[2,3]}')
 select json_valid('[false, true, null]');
 json_valid('[false, true, null]')
 1
+select json_valid(repeat('[', 1000));
+json_valid(repeat('[', 1000))
+0
 select json_value('{"key1":123}', '$.key2');
 json_value('{"key1":123}', '$.key2')
 NULL

--- a/mysql-test/t/func_json.test
+++ b/mysql-test/t/func_json.test
@@ -2,6 +2,7 @@ select json_valid('[1, 2]');
 select json_valid('"string"}');
 select json_valid('{"key1":1, "key2":[2,3]}');
 select json_valid('[false, true, null]');
+select json_valid(repeat('[', 1000));
 select json_value('{"key1":123}', '$.key2');
 select json_value('{"key1":123}', '$.key1');

--- a/strings/json_lib.c
+++ b/strings/json_lib.c
@@ -126,8 +126,13 @@ static int syntax_error(json_engine_t *j)
 static int mark_object(json_engine_t *j)
 {
  j->state= JST_OBJ_START;
-  *(++j->stack_p)= JST_OBJ_CONT;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
-  return 0;
+  {
+    *j->stack_p= JST_OBJ_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
@@ -137,8 +142,13 @@ static int read_obj(json_engine_t *j)
  j->state= JST_OBJ_START;
  j->value_type= JSON_VALUE_OBJECT;
  j->value= j->value_begin;
-  *(++j->stack_p)= JST_OBJ_CONT;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
-  return 0;
+  {
+    *j->stack_p= JST_OBJ_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
@@ -146,9 +156,14 @@ static int read_obj(json_engine_t *j)
 static int mark_array(json_engine_t *j)
 {
  j->state= JST_ARRAY_START;
-  *(++j->stack_p)= JST_ARRAY_CONT;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
-  j->value= j->value_begin;
+  {
-  return 0;
+    *j->stack_p= JST_ARRAY_CONT;
+    j->value= j->value_begin;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
 /* Read value of object. */
@@ -157,8 +172,13 @@ static int read_array(json_engine_t *j)
  j->state= JST_ARRAY_START;
  j->value_type= JSON_VALUE_ARRAY;
  j->value= j->value_begin;
-  *(++j->stack_p)= JST_ARRAY_CONT;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
-  return 0;
+  {
+    *j->stack_p= JST_ARRAY_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }