MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data...

MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failur es. fixed changed.

MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data...
MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failur es. fixed changed.
a4353c25 · Alexey Botchkov · b0817ff8 · a4353c25 · a4353c25 · a4353c25
Commit a4353c25 authored Apr 17, 2021 by Alexey Botchkov
Showing with 8 additions and 14 deletions

mysql-test/suite/json/r/json_table.result mysql-test/suite/json/r/json_table.result +1 -1

sql/json_table.cc sql/json_table.cc +3 -0

sql/sql_select.cc sql/sql_select.cc +4 -13

No files found.
--- a/mysql-test/suite/json/r/json_table.result
+++ b/mysql-test/suite/json/r/json_table.result
--- a/sql/json_table.cc
+++ b/sql/json_table.cc
@@ -749,6 +749,7 @@ bool Create_json_table::add_json_table_fields(THD *thd, TABLE *table,
    Create_field *sql_f= jc->m_field;
    Record_addr addr(!(sql_f->flags & NOT_NULL_FLAG));
    Bit_addr bit(addr.null());
+    uint uneven_delta;

    sql_f->prepare_stage2(table->file, table->file->ha_table_flags());

@@ -760,7 +761,9 @@ bool Create_json_table::add_json_table_fields(THD *thd, TABLE *table,
    if (!f)
      goto err_exit;
    f->init(table);
+    uneven_delta= m_uneven_bit_length;
    add_field(table, f, fieldnr++, 0);
+    m_uneven_bit[current_counter]+= (m_uneven_bit_length - uneven_delta);
  }

  share->fields= fieldnr;

--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -18291,16 +18291,6 @@ Create_tmp_table::Create_tmp_table(ORDER *group, bool distinct,
 }


-static void add_null_bits_for_field(const Field *f, uint *null_counter)
-{
-  if (!(f->flags & NOT_NULL_FLAG))
-    (*null_counter)++;
-
-  if (f->type() == MYSQL_TYPE_BIT)
-   (*null_counter)+= f->field_length & 7;
-}
-
-
 void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
                                 bool force_not_null_cols)
 {
@@ -18313,7 +18303,8 @@ void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
    field->null_ptr= NULL;
  }

-  add_null_bits_for_field(field, m_null_count + current_counter);
+  if (!(field->flags & NOT_NULL_FLAG))
+    m_null_count[current_counter]++;

  table->s->reclength+= field->pack_length();

@@ -18894,6 +18885,7 @@ bool Create_tmp_table::finalize(THD *thd,
      recinfo->null_pos= (null_pack_base[current_counter] +
                          null_counter[current_counter]/8);
      field->move_field(pos, null_flags + recinfo->null_pos, recinfo->null_bit);
+      null_counter[current_counter]++;
    }
    else
      field->move_field(pos,(uchar*) 0,0);
@@ -18904,9 +18896,8 @@ bool Create_tmp_table::finalize(THD *thd,
                                        null_pack_base[current_counter] +
                                        null_counter[current_counter]/8,
                                        null_counter[current_counter] & 7);
+      null_counter[current_counter]+= (field->field_length & 7);
    }
-
-    add_null_bits_for_field(field, null_counter + current_counter);
    field->reset();

    /*