MDEV-26392: Crash with json_get_path_next and 10.5.12

mariadb-RuchaDeodhar · mariadb-RuchaDeodhar · commit ff72a9431a65 · 2023-01-18T16:28:50.000+05:30
Analysis:
When we skip level when path is found, it changes the state of the json
engine. This breaks the sequence for json_get_path_next() which is called at
the end to ensure json document is valid and leads to crash.
Fix:
Use json_scan_next() at the end to check if json document has correct
syntax (is valid).
diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
@@ -1611,5 +1611,17 @@ SELECT json_object('a', coalesce(json_object('b', 'c')));
 json_object('a', coalesce(json_object('b', 'c')))
 {"a": {"b": "c"}}
 #
+# MDEV-26392: Crash with json_get_path_next and 10.5.12
+#
+CREATE TABLE arrNestTest (
+id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY,
+doc JSON, 
+CONSTRAINT id_not_null CHECK(id IS NOT NULL));
+INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }');
+SELECT * FROM arrNestTest;
+id	doc
+{"$oid":"611c0a463b150154132f6636"}	{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }
+DROP TABLE arrNestTest;
+#
 # End of 10.5 tests
 #
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
@@ -1054,6 +1054,18 @@ DROP TABLE t2;
 SELECT json_object('a', if(1, json_object('b', 'c'), json_object('e', 'f')));
 SELECT json_object('a', coalesce(json_object('b', 'c')));
 
+--echo #
+--echo # MDEV-26392: Crash with json_get_path_next and 10.5.12
+--echo #
+
+CREATE TABLE arrNestTest (
+    id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY,
+    doc JSON, 
+    CONSTRAINT id_not_null CHECK(id IS NOT NULL));
+    
+INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }');
+SELECT * FROM arrNestTest;
+DROP TABLE arrNestTest;
 
 --echo #
 --echo # End of 10.5 tests
diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
@@ -994,7 +994,7 @@ String *Item_func_json_extract::read_json(String *str,
     if (!possible_multiple_values)
     {
       /* Loop to the end of the JSON just to make sure it's valid. */
-      while (json_get_path_next(&je, &p) == 0) {}
+      while (json_scan_next(&je) == 0) {}
       break;
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -994,7 +994,7 @@ String Item_func_json_extract::read_json(String str,`
`994`	`994`	`if (!possible_multiple_values)`
`995`	`995`	`{`
`996`	`996`	`/* Loop to the end of the JSON just to make sure it's valid. */`
`997`		`- while (json_get_path_next(&je, &p) == 0) {}`
	`997`	`+ while (json_scan_next(&je) == 0) {}`
`998`	`998`	`break;`
`999`	`999`	`}`
`1000`	`1000`	`}`