MDEV-11463 Server crashes in mark_array upon JSON_VALID.

Alexey Botchkov · Alexey Botchkov · commit 7fca13302870 · 2016-12-03T12:36:10.000+04:00
The depth of nested arrays should be controlled, as it's limited.
diff --git a/mysql-test/r/func_json.result b/mysql-test/r/func_json.result
@@ -10,6 +10,9 @@ json_valid('{"key1":1, "key2":[2,3]}')
 select json_valid('[false, true, null]');
 json_valid('[false, true, null]')
 1
+select json_valid(repeat('[', 1000));
+json_valid(repeat('[', 1000))
+0
 select json_value('{"key1":123}', '$.key2');
 json_value('{"key1":123}', '$.key2')
 NULL
diff --git a/mysql-test/t/func_json.test b/mysql-test/t/func_json.test
@@ -2,6 +2,7 @@ select json_valid('[1, 2]');
 select json_valid('"string"}');
 select json_valid('{"key1":1, "key2":[2,3]}');
 select json_valid('[false, true, null]');
+select json_valid(repeat('[', 1000));
 
 select json_value('{"key1":123}', '$.key2');
 select json_value('{"key1":123}', '$.key1');
diff --git a/strings/json_lib.c b/strings/json_lib.c
@@ -126,8 +126,13 @@ static int syntax_error(json_engine_t *j)
 static int mark_object(json_engine_t *j)
 {
   j->state= JST_OBJ_START;
-  *(++j->stack_p)= JST_OBJ_CONT;
-  return 0;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
+  {
+    *j->stack_p= JST_OBJ_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
 
 
@@ -137,18 +142,28 @@ static int read_obj(json_engine_t *j)
   j->state= JST_OBJ_START;
   j->value_type= JSON_VALUE_OBJECT;
   j->value= j->value_begin;
-  *(++j->stack_p)= JST_OBJ_CONT;
-  return 0;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
+  {
+    *j->stack_p= JST_OBJ_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
 
 
 /* Value of array. */
 static int mark_array(json_engine_t *j)
 {
   j->state= JST_ARRAY_START;
-  *(++j->stack_p)= JST_ARRAY_CONT;
-  j->value= j->value_begin;
-  return 0;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
+  {
+    *j->stack_p= JST_ARRAY_CONT;
+    j->value= j->value_begin;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
 
 /* Read value of object. */
@@ -157,8 +172,13 @@ static int read_array(json_engine_t *j)
   j->state= JST_ARRAY_START;
   j->value_type= JSON_VALUE_ARRAY;
   j->value= j->value_begin;
-  *(++j->stack_p)= JST_ARRAY_CONT;
-  return 0;
+  if ((++j->stack_p) - j->stack < JSON_DEPTH_LIMIT)
+  {
+    *j->stack_p= JST_ARRAY_CONT;
+    return 0;
+  }
+  j->s.error= JE_DEPTH;
+  return 1;
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,9 @@ json_valid('{"key1":1, "key2":[2,3]}')`
`10`	`10`	`select json_valid('[false, true, null]');`
`11`	`11`	`json_valid('[false, true, null]')`
`12`	`12`	`1`
	`13`	`+select json_valid(repeat('[', 1000));`
	`14`	`+json_valid(repeat('[', 1000))`
	`15`	`+0`
`13`	`16`	`select json_value('{"key1":123}', '$.key2');`
`14`	`17`	`json_value('{"key1":123}', '$.key2')`
`15`	`18`	`NULL`