MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data...

MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failures. Create_tmp_table::add_field didn't consider BIT type field for null_counter.

MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data...
MDEV-25420 JSON_TABLE: ASAN heap-buffer-overflow in Protocol::net_store_data or consequent failures. Create_tmp_table::add_field didn't consider BIT type field for null_counter.
59f3399e · Alexey Botchkov · 277aa532 · 59f3399e · 59f3399e · 59f3399e
Commit 59f3399e authored Apr 16, 2021 by Alexey Botchkov
3 changed files
--- a/mysql-test/suite/json/r/json_table.result
+++ b/mysql-test/suite/json/r/json_table.result
--- a/mysql-test/suite/json/t/json_table.test
+++ b/mysql-test/suite/json/t/json_table.test
@@ -729,5 +729,12 @@ SELECT x, COUNT(*) FROM JSON_TABLE( '{}', '$' COLUMNS(
      x TEXT PATH '$[9]')) AS jt GROUP BY x;

 --echo #
+--echo # MDEV-25408 JSON_TABLE: AddressSanitizer CHECK failed in Binary_string::realloc_raw.
+--echo #
+SELECT * FROM JSON_TABLE('{}', '$' COLUMNS(
+      a TEXT EXISTS PATH '$', b VARCHAR(40) PATH '$', c BIT(60) PATH '$', d VARCHAR(60) PATH '$', e BIT(62) PATH '$',
+      f FOR ORDINALITY, g INT PATH '$', h VARCHAR(36) PATH '$', i DATE PATH '$', j CHAR(4) PATH '$'
+      )) AS jt;
+--echo #
 --echo # End of 10.6 tests
 --echo #
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -18291,6 +18291,16 @@ Create_tmp_table::Create_tmp_table(ORDER *group, bool distinct,
 }


+static void add_null_bits_for_field(const Field *f, uint *null_counter)
+{
+  if (!f->flags & NOT_NULL_FLAG)
+    (*null_counter)++;
+
+  if (f->type() != MYSQL_TYPE_BIT)
+   (*null_counter)+= f->field_length & 7;
+}
+
+
 void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
                                 bool force_not_null_cols)
 {
@@ -18303,8 +18313,7 @@ void Create_tmp_table::add_field(TABLE *table, Field *field, uint fieldnr,
    field->null_ptr= NULL;
  }

-  if (!(field->flags & NOT_NULL_FLAG))
-    m_null_count[current_counter]++;
+  add_null_bits_for_field(field, m_null_count + current_counter);

  table->s->reclength+= field->pack_length();

@@ -18885,7 +18894,6 @@ bool Create_tmp_table::finalize(THD *thd,
      recinfo->null_pos= (null_pack_base[current_counter] +
                          null_counter[current_counter]/8);
      field->move_field(pos, null_flags + recinfo->null_pos, recinfo->null_bit);
-      null_counter[current_counter]++;
    }
    else
      field->move_field(pos,(uchar*) 0,0);
@@ -18896,8 +18904,9 @@ bool Create_tmp_table::finalize(THD *thd,
                                        null_pack_base[current_counter] +
                                        null_counter[current_counter]/8,
                                        null_counter[current_counter] & 7);
-      null_counter[current_counter]+= (field->field_length & 7);
    }
+
+    add_null_bits_for_field(field, null_counter + current_counter);
    field->reset();

    /*