diff options
| author | Rucha Deodhar <rucha.deodhar@mariadb.com> | 2022-12-29 22:46:53 +0530 |
|---|---|---|
| committer | Rucha Deodhar <rucha.deodhar@mariadb.com> | 2023-01-18 16:28:50 +0530 |
| commit | ff72a9431a6559b691d3dcfb595e76546678313d (patch) | |
| tree | 3afaf33d88d207a4b09d1445e49ebcc2aa1320e5 | |
| parent | 0459d2ccfc782475e596c9991e0525186953a4f3 (diff) | |
| download | mariadb-git-ff72a9431a6559b691d3dcfb595e76546678313d.tar.gz | |
MDEV-26392: Crash with json_get_path_next and 10.5.12
Analysis:
When we skip level when path is found, it changes the state of the json
engine. This breaks the sequence for json_get_path_next() which is called at
the end to ensure json document is valid and leads to crash.
Fix:
Use json_scan_next() at the end to check if json document has correct
syntax (is valid).
| -rw-r--r-- | mysql-test/main/func_json.result | 12 | ||||
| -rw-r--r-- | mysql-test/main/func_json.test | 12 | ||||
| -rw-r--r-- | sql/item_jsonfunc.cc | 2 |
3 files changed, 25 insertions, 1 deletions
diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result index b0a7cb4988c..2a293fc72c7 100644 --- a/mysql-test/main/func_json.result +++ b/mysql-test/main/func_json.result @@ -1611,5 +1611,17 @@ SELECT json_object('a', coalesce(json_object('b', 'c'))); json_object('a', coalesce(json_object('b', 'c'))) {"a": {"b": "c"}} # +# MDEV-26392: Crash with json_get_path_next and 10.5.12 +# +CREATE TABLE arrNestTest ( +id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY, +doc JSON, +CONSTRAINT id_not_null CHECK(id IS NOT NULL)); +INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }'); +SELECT * FROM arrNestTest; +id doc +{"$oid":"611c0a463b150154132f6636"} { "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } +DROP TABLE arrNestTest; +# # End of 10.5 tests # diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test index 7e7b83c720d..35645bcb226 100644 --- a/mysql-test/main/func_json.test +++ b/mysql-test/main/func_json.test @@ -1054,6 +1054,18 @@ DROP TABLE t2; SELECT json_object('a', if(1, json_object('b', 'c'), json_object('e', 'f'))); SELECT json_object('a', coalesce(json_object('b', 'c'))); +--echo # +--echo # MDEV-26392: Crash with json_get_path_next and 10.5.12 +--echo # + +CREATE TABLE arrNestTest ( + id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY, + doc JSON, + CONSTRAINT id_not_null CHECK(id IS NOT NULL)); + +INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }'); +SELECT * FROM arrNestTest; +DROP TABLE arrNestTest; --echo # --echo # End of 10.5 tests diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc index e6507278381..9843b6d14b1 100644 --- a/sql/item_jsonfunc.cc +++ b/sql/item_jsonfunc.cc @@ -994,7 +994,7 @@ String *Item_func_json_extract::read_json(String *str, if (!possible_multiple_values) { /* Loop to the end of the JSON just to make sure it's valid. */ - while (json_get_path_next(&je, &p) == 0) {} + while (json_scan_next(&je) == 0) {} break; } } |