MDEV-31566 Fix buffer overrun of column_json function

The accounting of the limit variable that represents the amount of space left it the buffer was incorrect. Also there was 1 or 2 bytes left to write that occured without the buffer length being checked. Review: Sanja Byelkin
MariaDB · May 9, 2024 · 8677472 · 8677472
1 parent 034abab
commit 8677472
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 24 deletions.
diff --git a/mysql-test/main/dyncol.result b/mysql-test/main/dyncol.result
@@ -1950,12 +1950,6 @@ ex
 # End of 10.4 tests
 #
 #
-# Start of 10.5 tests
-#
-#
-# Start of 10.5 tests
-#
-#
 # MDEV-33788 HEX(COLUMN_CREATE(.. AS CHAR ...)) fails with --view-protocol
 #
 SELECT hex(column_create(1,'a' AS CHAR CHARACTER SET utf8mb3 COLLATE utf8mb3_bin)) AS ex;
@@ -1967,5 +1961,12 @@ SELECT hex(column_add(column_create(
 ex
 00020001000302001353612162
 #
-# Start of 10.5 tests
+# MDEV-31566 Fix buffer overrun of column_json function
 #
+select column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313630300C080000000000EFBFBDEFBFBD192E);
+column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313
+{"jsn":"\u0000\u0005\u0000l\u0000'\u0000\u0002\u0000)\u0000\u0002\u0000+\u0000\u0002\u0000-\u0000\u0002\u0000/\u0000\u0002\u0000\u000C1\u0000\u000C;\u0000\u000CK\u0000\u000CQ\u0000\u000Fb\u0000f1f2f3f4f5\u0009姚远洋\u000F聚通金桥店\u000574500\u001011643/9645/11600\u000C\u0008\u0000\u0000\u0000\u0000\u0000��\u0019","subject":""}
+select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106);
+column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F7
+{"jsn":"\u0000\u0009\u0000�\u0000C\u0000\u0002\u0000E\u0000\u0002\u0000G\u0000\u0003\u0000J\u0000\u0004\u0000N\u0000\u0005\u0000S\u0000\u0005\u0000X\u0000\u0005\u0000]\u0000\u0005\u0000b\u0000\u0005\u0000\u000Cg\u0000\u000Cj\u0000\u000Cm\u0000\u000Cp\u0000\u0005,\u0000\u0005\u001B\u0000\u0005,\u0000\u000C�\u0000\u0007�\u0000f8f9f10pic2box_cbox_gbox_kbox_vf5_id\u000244\u000244\u000232Ahttp://oss.hdb88.com/0/photo/078ee7e7c6464ab68a0483733266a52a.gif\u00080.052272$O\u001E\u0000","volume":193.6}
+# End of 10.5 tests
diff --git a/mysql-test/main/dyncol.test b/mysql-test/main/dyncol.test
@@ -1001,14 +1001,6 @@ SELECT HEX(COLUMN_ADD(COLUMN_CREATE(1,10),2,NULL,1,NULL)) as ex;
 --echo # End of 10.4 tests
 --echo #
 
---echo #
---echo # Start of 10.5 tests
---echo #
-
---echo #
---echo # Start of 10.5 tests
---echo #
-
 --echo #
 --echo # MDEV-33788 HEX(COLUMN_CREATE(.. AS CHAR ...)) fails with --view-protocol
 --echo #
@@ -1019,5 +1011,10 @@ SELECT hex(column_add(column_create(
                       2, 'b' AS CHAR CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci)) AS ex;
 
 --echo #
---echo # Start of 10.5 tests
+--echo # MDEV-31566 Fix buffer overrun of column_json function
 --echo #
+
+select column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313630300C080000000000EFBFBDEFBFBD192E);
+select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106);
+
+--echo # End of 10.5 tests
diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
@@ -3848,13 +3848,13 @@ my_bool dynstr_append_json_quoted(DYNAMIC_STRING *str,
     register char c= append[i];
     if (unlikely(((uchar)c) <= 0x1F))
     {
-      if (lim < 5)
+      if (lim < 6)
         {
           if (dynstr_realloc(str, additional))
             return TRUE;
           lim+= additional;
         }
-        lim-= 5;
+        lim -= 6;
         str->str[str->length++]= '\\';
         str->str[str->length++]= 'u';
         str->str[str->length++]= '0';
@@ -3865,17 +3865,18 @@ my_bool dynstr_append_json_quoted(DYNAMIC_STRING *str,
     }
     else
     {
+      if (lim < 2)
+      {
+        if (dynstr_realloc(str, additional))
+          return TRUE;
+        lim += additional;
+      }
       if (c == '"' || c == '\\')
       {
-        if (!lim)
-        {
-          if (dynstr_realloc(str, additional))
-            return TRUE;
-          lim= additional;
-        }
         lim--;
         str->str[str->length++]= '\\';
       }
+      lim--;
       str->str[str->length++]= c;
     }
   }