MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys

using JSON_OBJECT_FILTER_KEYS function

Analysis:
Insufficient buffer size while copying the data.
Fix:
Change buffer size to accomodate all data.

mysql-test/main/func_json.result

@@ -5197,5 +5197,15 @@ JSON_ARRAY_INTERSECT(c1, c2)
 [4]
 DROP TABLE t1;
 #
+# MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
+#
+SET @arr1='[1,2,"c"]';
+SET character_set_database=ucs2;
+SET CHARACTER SET utf8;
+SET @obj1='{ "a": 1,"b": 2,"c": 3}';
+SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
+JSON_OBJECT_FILTER_KEYS (@obj1,@arr1)
+NULL
+#
 # End of 11.2 Test
 #

mysql-test/main/func_json.test

@@ -4086,6 +4086,16 @@ SELECT JSON_ARRAY_INTERSECT(c1, c2) FROM t1;
 DROP TABLE t1;
 
 
+--echo #
+--echo # MDEV-31543: ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function
+--echo #
+
+SET @arr1='[1,2,"c"]';
+SET character_set_database=ucs2;
+SET CHARACTER SET utf8;
+SET @obj1='{ "a": 1,"b": 2,"c": 3}';
+SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
+
 --echo #
 --echo # End of 11.2 Test
 --echo #

sql/item_jsonfunc.cc

@@ -5418,7 +5418,7 @@ static bool filter_keys(json_engine_t *je1, String *str, HASH items)
         str.append('"');
         str.append('\0');
 
-        char *curr_key= (char*)malloc((size_t)(key_end-key_start+3));
+        char *curr_key= (char*)malloc((size_t)(str.length()+3));
         strncpy(curr_key, str.ptr(), str.length());
 
         if (my_hash_search(&items, (const uchar*)curr_key, strlen(curr_key)))