MDEV-25188 JSON_TABLE: ASAN use-after-poison in Field_long::reset / T…

…able_function_json_table::setup or malloc(): invalid size. MDEV-25192 JSON_TABLE: ASAN use-after-poison in field_conv_memcpy / Create_tmp_table::finalize upon query with derived table.
MariaDB · Apr 21, 2021 · 46d592a · 46d592a
1 parent 0eda81e
commit 46d592a
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 20 deletions.
diff --git a/mysql-test/suite/json/r/json_table.result b/mysql-test/suite/json/r/json_table.result
@@ -522,5 +522,19 @@ SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(a CHAR(100) PATH '$' DEFAULT "0" ON E
 a
 0
 #
+# MDEV-25188 JSON_TABLE: ASAN use-after-poison in Field_long::reset / Table_function_json_table::setup or malloc(): invalid size.
+#
+SELECT * FROM JSON_TABLE(CONVERT('{"x":1}' USING utf8mb4), '$' COLUMNS(a INT PATH '$', b CHAR(64) PATH '$.*', c INT EXISTS PATH '$**.*')) AS jt;
+a	b	c
+NULL	1	1
+#
+# 25192 JSON_TABLE: ASAN use-after-poison in field_conv_memcpy / Create_tmp_table::finalize upon query with derived table.
+#
+SET NAMES utf8;
+SELECT * FROM ( SELECT * FROM JSON_TABLE('{}', '$' COLUMNS( a BINARY(12) PATH '$.*', b VARCHAR(40) PATH '$[*]', c VARCHAR(8) PATH '$**.*')) AS jt ) AS sq;
+a	b	c
+NULL	NULL	NULL
+SET NAMES default;
+#
 # End of 10.6 tests
 #
diff --git a/mysql-test/suite/json/t/json_table.test b/mysql-test/suite/json/t/json_table.test
@@ -400,6 +400,18 @@ DROP VIEW v;
 --echo #
 SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(a CHAR(100) PATH '$' DEFAULT "0" ON ERROR)) AS jt;
 
+--echo #
+--echo # MDEV-25188 JSON_TABLE: ASAN use-after-poison in Field_long::reset / Table_function_json_table::setup or malloc(): invalid size.
+--echo #
+SELECT * FROM JSON_TABLE(CONVERT('{"x":1}' USING utf8mb4), '$' COLUMNS(a INT PATH '$', b CHAR(64) PATH '$.*', c INT EXISTS PATH '$**.*')) AS jt;
+
+--echo #
+--echo # 25192 JSON_TABLE: ASAN use-after-poison in field_conv_memcpy / Create_tmp_table::finalize upon query with derived table.
+--echo #
+SET NAMES utf8;
+SELECT * FROM ( SELECT * FROM JSON_TABLE('{}', '$' COLUMNS( a BINARY(12) PATH '$.*', b VARCHAR(40) PATH '$[*]', c VARCHAR(8) PATH '$**.*')) AS jt ) AS sq;
+SET NAMES default;
+
 --echo #
 --echo # End of 10.6 tests
 --echo #
diff --git a/sql/field.h b/sql/field.h
@@ -1612,7 +1612,7 @@ class Field: public Value_source
   virtual const TYPELIB *get_typelib() const { return NULL; }
   virtual CHARSET_INFO *charset() const= 0;
   /* returns TRUE if the new charset differs. */
-  virtual bool change_charset(const DTCollation &new_cs) { return FALSE; }
+  virtual void change_charset(const DTCollation &new_cs) {}
   virtual const DTCollation &dtcollation() const= 0;
   virtual CHARSET_INFO *charset_for_protocol(void) const
   { return binary() ? &my_charset_bin : charset(); }
@@ -2111,16 +2111,11 @@ class Field_str :public Field {
   {
     return m_collation;
   }
-  bool change_charset(const DTCollation &new_cs) override
+  void change_charset(const DTCollation &new_cs) override
   {
-    if (m_collation.collation != new_cs.collation)
-    {
-      field_length= (field_length * new_cs.collation->mbmaxlen) /
-        m_collation.collation->mbmaxlen;
-      m_collation= new_cs;
-      return TRUE;
-    }
-    return FALSE;
+    field_length= (field_length * new_cs.collation->mbmaxlen) /
+      m_collation.collation->mbmaxlen;
+    m_collation= new_cs;
   }
   bool binary() const override { return field_charset() == &my_charset_bin; }
   uint32 max_display_length() const override { return field_length; }

diff --git a/sql/json_table.cc b/sql/json_table.cc
@@ -718,7 +718,10 @@ bool Create_json_table::finalize(THD *thd, TABLE *table,
                                         m_null_count & 7);
       m_null_count+= (field->field_length & 7);
     }
-    field->reset();
+    /*
+      Here we'd call the field->reset(), but we're doing it later
+      in Table_function_json_table::setup as we define charsets there.
+    */
 
     /*
       Test if there is a default field value. The test for ->ptr is to skip
@@ -811,7 +814,7 @@ bool Create_json_table::add_json_table_fields(THD *thd, TABLE *table,
     */
     sql_f->length= sql_f->char_length;
     if (!(jc->m_explicit_cs= sql_f->charset))
-      sql_f->charset= &my_charset_utf8mb4_bin;
+      sql_f->charset= &my_charset_utf8mb4_general_ci;
 
     if (sql_f->prepare_stage1(thd, thd->mem_root, table->file,
                               table->file->ha_table_flags()))
@@ -1148,14 +1151,13 @@ int Table_function_json_table::setup(THD *thd, TABLE_LIST *sql_table,
       Json_table_column *jc= jc_i++;
       uint32 old_pack_length= f->pack_length();
 
-      if (f->change_charset(
-                jc->m_explicit_cs ? jc->m_explicit_cs : m_json->collation) ||
-          field_offset)
-      {
-        if (field_offset)
-          f->move_field(f->ptr + field_offset, f->null_ptr, f->null_bit);
-        f->reset();
-      }
+      f->change_charset(
+                jc->m_explicit_cs ? jc->m_explicit_cs : m_json->collation);
+
+      if (field_offset)
+        f->move_field(f->ptr + field_offset, f->null_ptr, f->null_bit);
+
+      f->reset();
 
       field_offset= (field_offset + f->pack_length()) - old_pack_length;