MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failures.

Create_tmp_table::add_field didn't consider BIT type field for
null_counter.

Author: Alexey Botchkov

mysql-test/suite/json/r/json_table.result

@@ -832,5 +832,14 @@ x TEXT PATH '$[9]')) AS jt GROUP BY x;
 x	COUNT(*)
 NULL	1
 #
+# MDEV-25408 JSON_TABLE: AddressSanitizer CHECK failed in Binary_string::realloc_raw.
+#
+SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(
+a TEXT EXISTS PATH '$', b VARCHAR(40) PATH '$', c BIT(60) PATH '$', d VARCHAR(60) PATH '$', e BIT(62) PATH '$',
+f FOR ORDINALITY, g INT PATH '$', h VARCHAR(36) PATH '$', i DATE PATH '$', j CHAR(4) PATH '$'
+      )) AS jt;
+a	b	c	d	e	f	g	h	i	j
+1	NULL	NULL	NULL		1	NULL	NULL	NULL	NULL
+#
 # End of 10.6 tests
 #

mysql-test/suite/json/t/json_table.test

@@ -729,5 +729,12 @@ SELECT x, COUNT(*) FROM JSON_TABLE( '{}', '$' COLUMNS(
       x TEXT PATH '$[9]')) AS jt GROUP BY x;
 
 --echo #
+--echo # MDEV-25408 JSON_TABLE: AddressSanitizer CHECK failed in Binary_string::realloc_raw.
+--echo #
+SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(
+      a TEXT EXISTS PATH '$', b VARCHAR(40) PATH '$', c BIT(60) PATH '$', d VARCHAR(60) PATH '$', e BIT(62) PATH '$',
+      f FOR ORDINALITY, g INT PATH '$', h VARCHAR(36) PATH '$', i DATE PATH '$', j CHAR(4) PATH '$'
+      )) AS jt;
+--echo #
 --echo # End of 10.6 tests
 --echo #

sql/sql_select.cc

@@ -18291,6 +18291,16 @@ Create_tmp_table::Create_tmp_table(ORDER *group, bool distinct,
 }
 
 
+static void add_null_bits_for_field(const Field *f, uint *null_counter)
+{
+  if (!f->flags & NOT_NULL_FLAG)
+    (*null_counter)++;
+
+  if (f->type() != MYSQL_TYPE_BIT)
+   (*null_counter)+= f->field_length & 7;
+}
+
+
 void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
                                  bool force_not_null_cols)
 {
@@ -18303,8 +18313,7 @@ void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
     field->null_ptr= NULL;
   }
 
-  if (!(field->flags & NOT_NULL_FLAG))
-    m_null_count[current_counter]++;
+  add_null_bits_for_field(field, m_null_count + current_counter);
 
   table->s->reclength+= field->pack_length();
 
@@ -18885,7 +18894,6 @@ bool Create_tmp_table::finalize(THD *thd,
       recinfo->null_pos= (null_pack_base[current_counter] +
                           null_counter[current_counter]/8);
       field->move_field(pos, null_flags + recinfo->null_pos, recinfo->null_bit);
-      null_counter[current_counter]++;
     }
     else
       field->move_field(pos,(uchar*) 0,0);
@@ -18896,8 +18904,9 @@ bool Create_tmp_table::finalize(THD *thd,
                                         null_pack_base[current_counter] +
                                         null_counter[current_counter]/8,
                                         null_counter[current_counter] & 7);
-      null_counter[current_counter]+= (field->field_length & 7);
     }
+
+    add_null_bits_for_field(field, null_counter + current_counter);
     field->reset();
 
     /*