MDEV-33640: Server crashes at my_hash_free

mariadb-RuchaDeodhar · mariadb-RuchaDeodhar · commit 291cc20bf1bb · 2025-12-22T18:18:01.000+05:30
Analysis:
While parsing the json schema, we dont initialize the hash that stores
properties, but we try to free hash while cleanup. This happend because
the variable that checks whether hash is initialized has garbage value.
So the check becomes true and we end up deleting the uninitialized hash.

Fix:
Initialize the is_hash_inited to false.
diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
@@ -5379,4 +5379,9 @@ result
 [["2", "6"], ["3", "8"], ["4", "5"], ["1", "7"]]
 [["2", "6"], ["3", "8"], ["4", "5"], ["1", "7"]]
 [["2", "6"], ["3", "8"], ["4", "5"], ["1", "7"]]
+#
+# MDEV-33640: Server crashes at my_hash_free
+#
+SELECT JSON_SCHEMA_VALID('{"properties": "a_string": {"pattern": "^[5-9]$"}}}', '{"a_string": "8"}');
+ERROR HY000: Invalid value for keyword properties
 # End of 11.4 Test
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
@@ -4275,4 +4275,12 @@ SELECT ( WITH x AS ( WITH x ( x ) AS ( SELECT ( 1.000000 ) ) SELECT x FROM x ) S
 
 select json_array_intersect('[["1", "7"], ["2", "6"], ["4", "5"], ["3", "8"]]', '[["2","6"],["3","8"],["4","5"],["1","7"]]') as result from (values (1),(2),(3),(4),(5)) x;
 
+
+--echo #
+--echo # MDEV-33640: Server crashes at my_hash_free
+--echo #
+
+--error ER_JSON_INVALID_VALUE_FOR_KEYWORD
+SELECT JSON_SCHEMA_VALID('{"properties": "a_string": {"pattern": "^[5-9]$"}}}', '{"a_string": "8"}');
+
 --echo # End of 11.4 Test
diff --git a/sql/json_schema.h b/sql/json_schema.h
@@ -475,6 +475,7 @@ class Json_schema_properties : public Json_schema_keyword
     Json_schema_properties()
     {
       priority= 1;
+      is_hash_inited= false;
     }
     bool validate(const json_engine_t *je, const uchar *k_start= NULL,
                   const uchar *k_end= NULL) override;
@@ -503,6 +504,10 @@ class Json_schema_dependent_schemas : public Json_schema_keyword
       if (is_hash_inited)
        my_hash_free(&properties);
     }
+    Json_schema_dependent_schemas()
+    {
+      is_hash_inited= false;
+    }
     bool validate(const json_engine_t *je, const uchar *k_start= NULL,
                   const uchar *k_end= NULL) override;
     bool handle_keyword(THD *thd, json_engine_t *je,

Original file line number	Diff line number	Diff line change
`@@ -475,6 +475,7 @@ class Json_schema_properties : public Json_schema_keyword`
`475`	`475`	`Json_schema_properties()`
`476`	`476`	`{`
`477`	`477`	`priority= 1;`
	`478`	`+ is_hash_inited= false;`
`478`	`479`	`}`
`479`	`480`	`bool validate(const json_engine_t je, const uchar k_start= NULL,`
`480`	`481`	`const uchar *k_end= NULL) override;`
`@@ -503,6 +504,10 @@ class Json_schema_dependent_schemas : public Json_schema_keyword`
`503`	`504`	`if (is_hash_inited)`
`504`	`505`	`my_hash_free(&properties);`
`505`	`506`	`}`
	`507`	`+ Json_schema_dependent_schemas()`
	`508`	`+ {`
	`509`	`+ is_hash_inited= false;`
	`510`	`+ }`
`506`	`511`	`bool validate(const json_engine_t je, const uchar k_start= NULL,`
`507`	`512`	`const uchar *k_end= NULL) override;`
`508`	`513`	`bool handle_keyword(THD thd, json_engine_t je,`