MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failures.

Create_tmp_table::add_field didn't consider BIT type field for null_counter.
2025-01-17 04:22:27 +01:00 · 2021-04-16 11:55:52 +04:00 · 2021-04-16 11:55:52 +04:00 · 59f3399e29
commit 59f3399e29
parent 277aa532f3
3 changed files with 29 additions and 4 deletions
--- a/mysql-test/suite/json/r/json_table.result
+++ b/mysql-test/suite/json/r/json_table.result
@ -832,5 +832,14 @@ x TEXT PATH '$[9]')) AS jt GROUP BY x;
 x	COUNT(*)
 NULL	1
 #
+# MDEV-25408 JSON_TABLE: AddressSanitizer CHECK failed in Binary_string::realloc_raw.
+#
+SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(
+a TEXT EXISTS PATH '$', b VARCHAR(40) PATH '$', c BIT(60) PATH '$', d VARCHAR(60) PATH '$', e BIT(62) PATH '$',
+f FOR ORDINALITY, g INT PATH '$', h VARCHAR(36) PATH '$', i DATE PATH '$', j CHAR(4) PATH '$'
+      )) AS jt;
+a	b	c	d	e	f	g	h	i	j
+1	NULL	NULL	NULL		1	NULL	NULL	NULL	NULL
+#
 # End of 10.6 tests
 #
--- a/mysql-test/suite/json/t/json_table.test
+++ b/mysql-test/suite/json/t/json_table.test
@ -729,5 +729,12 @@ SELECT x, COUNT(*) FROM JSON_TABLE( '{}', '$' COLUMNS(
      x TEXT PATH '$[9]')) AS jt GROUP BY x;

 --echo #
+--echo # MDEV-25408 JSON_TABLE: AddressSanitizer CHECK failed in Binary_string::realloc_raw.
+--echo #
+SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(
+      a TEXT EXISTS PATH '$', b VARCHAR(40) PATH '$', c BIT(60) PATH '$', d VARCHAR(60) PATH '$', e BIT(62) PATH '$',
+      f FOR ORDINALITY, g INT PATH '$', h VARCHAR(36) PATH '$', i DATE PATH '$', j CHAR(4) PATH '$'
+      )) AS jt;
+--echo #
 --echo # End of 10.6 tests
 --echo #
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@ -18291,6 +18291,16 @@ Create_tmp_table::Create_tmp_table(ORDER *group, bool distinct,
 }


+static void add_null_bits_for_field(const Field *f, uint *null_counter)
+{
+  if (!f->flags & NOT_NULL_FLAG)
+    (*null_counter)++;
+
+  if (f->type() != MYSQL_TYPE_BIT)
+   (*null_counter)+= f->field_length & 7;
+}
+
+
 void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
                                 bool force_not_null_cols)
 {
@ -18303,8 +18313,7 @@ void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
    field->null_ptr= NULL;
  }

-  if (!(field->flags & NOT_NULL_FLAG))
-    m_null_count[current_counter]++;
+  add_null_bits_for_field(field, m_null_count + current_counter);

  table->s->reclength+= field->pack_length();

@ -18885,7 +18894,6 @@ bool Create_tmp_table::finalize(THD *thd,
      recinfo->null_pos= (null_pack_base[current_counter] +
                          null_counter[current_counter]/8);
      field->move_field(pos, null_flags + recinfo->null_pos, recinfo->null_bit);
-      null_counter[current_counter]++;
    }
    else
      field->move_field(pos,(uchar*) 0,0);
@ -18896,8 +18904,9 @@ bool Create_tmp_table::finalize(THD *thd,
                                        null_pack_base[current_counter] +
                                        null_counter[current_counter]/8,
                                        null_counter[current_counter] & 7);
-      null_counter[current_counter]+= (field->field_length & 7);
    }
+
+    add_null_bits_for_field(field, null_counter + current_counter);
    field->reset();

    /*