MDEV-26392: Crash with json_get_path_next and 10.5.12

Analysis: When we skip level when path is found, it changes the state of the json engine. This breaks the sequence for json_get_path_next() which is called at the end to ensure json document is valid and leads to crash. Fix: Use json_scan_next() at the end to check if json document has correct syntax (is valid).
MariaDB · Jan 18, 2023 · ff72a94 · ff72a94
1 parent 0459d2c
commit ff72a94
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
@@ -1611,5 +1611,17 @@ SELECT json_object('a', coalesce(json_object('b', 'c')));
 json_object('a', coalesce(json_object('b', 'c')))
 {"a": {"b": "c"}}
 #
+# MDEV-26392: Crash with json_get_path_next and 10.5.12
+#
+CREATE TABLE arrNestTest (
+id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY,
+doc JSON, 
+CONSTRAINT id_not_null CHECK(id IS NOT NULL));
+INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }');
+SELECT * FROM arrNestTest;
+id	doc
+{"$oid":"611c0a463b150154132f6636"}	{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }
+DROP TABLE arrNestTest;
+#
 # End of 10.5 tests
 #
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
@@ -1054,6 +1054,18 @@ DROP TABLE t2;
 SELECT json_object('a', if(1, json_object('b', 'c'), json_object('e', 'f')));
 SELECT json_object('a', coalesce(json_object('b', 'c')));
 
+--echo #
+--echo # MDEV-26392: Crash with json_get_path_next and 10.5.12
+--echo #
+
+CREATE TABLE arrNestTest (
+    id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY,
+    doc JSON, 
+    CONSTRAINT id_not_null CHECK(id IS NOT NULL));
+
+INSERT INTO test.arrNestTest (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }');
+SELECT * FROM arrNestTest;
+DROP TABLE arrNestTest;
 
 --echo #
 --echo # End of 10.5 tests

diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
@@ -994,7 +994,7 @@ String *Item_func_json_extract::read_json(String *str,
     if (!possible_multiple_values)
     {
       /* Loop to the end of the JSON just to make sure it's valid. */
-      while (json_get_path_next(&je, &p) == 0) {}
+      while (json_scan_next(&je) == 0) {}
       break;
     }
   }