MDEV-31566 Fix buffer overrun of column_json function

The accounting of the limit variable that represents the amount of space left it the buffer was incorrect. Also there was 1 or 2 bytes left to write that occured without the buffer length being checked. Review: Sanja Byelkin

MDEV-31566 Fix buffer overrun of column_json function
The accounting of the limit variable that represents the amount of space left it the buffer was incorrect. Also there was 1 or 2 bytes left to write that occured without the buffer length being checked. Review: Sanja Byelkin
86774720 · He Guohua · Daniel Black · 034ababa · 86774720 · 86774720
Commit 86774720 authored May 07, 2024 by He Guohua Committed by Daniel Black May 09, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 24 deletions

mysql-test/main/dyncol.result mysql-test/main/dyncol.result +8 -7

mysql-test/main/dyncol.test mysql-test/main/dyncol.test +6 -9

mysys/ma_dyncol.c mysys/ma_dyncol.c +9 -8

No files found.
--- a/mysql-test/main/dyncol.result
+++ b/mysql-test/main/dyncol.result
@@ -1950,12 +1950,6 @@ ex
 # End of 10.4 tests
 #
 #
-# Start of 10.5 tests
-#
-#
-# Start of 10.5 tests
-#
-#
 # MDEV-33788 HEX(COLUMN_CREATE(.. AS CHAR ...)) fails with --view-protocol
 #
 SELECT hex(column_create(1,'a' AS CHAR CHARACTER SET utf8mb3 COLLATE utf8mb3_bin)) AS ex;
@@ -1967,5 +1961,12 @@ SELECT hex(column_add(column_create(
 ex
 00020001000302001353612162
 #
-# Start of 10.5 tests
+# MDEV-31566 Fix buffer overrun of column_json function
 #
+select column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313630300C080000000000EFBFBDEFBFBD192E);
+column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313
+{"jsn":"\u0000\u0005\u0000l\u0000'\u0000\u0002\u0000)\u0000\u0002\u0000+\u0000\u0002\u0000-\u0000\u0002\u0000/\u0000\u0002\u0000\u000C1\u0000\u000C;\u0000\u000CK\u0000\u000CQ\u0000\u000Fb\u0000f1f2f3f4f5\u0009姚远洋\u000F聚通金桥店\u000574500\u001011643/9645/11600\u000C\u0008\u0000\u0000\u0000\u0000\u0000��\u0019","subject":""}
+select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106);
+column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F7
+{"jsn":"\u0000\u0009\u0000�\u0000C\u0000\u0002\u0000E\u0000\u0002\u0000G\u0000\u0003\u0000J\u0000\u0004\u0000N\u0000\u0005\u0000S\u0000\u0005\u0000X\u0000\u0005\u0000]\u0000\u0005\u0000b\u0000\u0005\u0000\u000Cg\u0000\u000Cj\u0000\u000Cm\u0000\u000Cp\u0000\u0005,\u0000\u0005\u001B\u0000\u0005,\u0000\u000C�\u0000\u0007�\u0000f8f9f10pic2box_cbox_gbox_kbox_vf5_id\u000244\u000244\u000232Ahttp://oss.hdb88.com/0/photo/078ee7e7c6464ab68a0483733266a52a.gif\u00080.052272$O\u001E\u0000","volume":193.6}
+# End of 10.5 tests
--- a/mysql-test/main/dyncol.test
+++ b/mysql-test/main/dyncol.test
@@ -1001,14 +1001,6 @@ SELECT HEX(COLUMN_ADD(COLUMN_CREATE(1,10),2,NULL,1,NULL)) as ex;
 --echo # End of 10.4 tests
 --echo #
--echo #
--echo # Start of 10.5 tests
--echo #
--echo #
--echo # Start of 10.5 tests
--echo #
 --echo #
 --echo # MDEV-33788 HEX(COLUMN_CREATE(.. AS CHAR ...)) fails with --view-protocol
 --echo #
@@ -1019,5 +1011,10 @@ SELECT hex(column_add(column_create(
                      2, 'b' AS CHAR CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci)) AS ex;
 --echo #
--echo # Start of 10.5 tests
+--echo # MDEV-31566 Fix buffer overrun of column_json function
 --echo #
+select column_json(0x0402000A0000000300030023076A736E7375626A6563742E0005006C0027000200290002002B0002002D0002002F0002000C31000C3B000C4B000C51000F62006631663266336634663509E5A79AE8BF9CE6B48B0FE8819AE9809AE98791E6A1A5E5BA970537343530301031313634332F393634352F31313630300C080000000000EFBFBDEFBFBD192E);
+select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106);
+--echo # End of 10.5 tests
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -3848,13 +3848,13 @@ my_bool dynstr_append_json_quoted(DYNAMIC_STRING *str,
    register char c= append[i];
    if (unlikely(((uchar)c) <= 0x1F))
    {
-      if (lim < 5)
+      if (lim < 6)
        {
          if (dynstr_realloc(str, additional))
            return TRUE;
          lim+= additional;
        }
-        lim-= 5;
+        lim -= 6;
        str->str[str->length++]= '\\';
        str->str[str->length++]= 'u';
        str->str[str->length++]= '0';
@@ -3865,17 +3865,18 @@ my_bool dynstr_append_json_quoted(DYNAMIC_STRING *str,
    }
    else
    {
+      if (lim < 2)
+      {
+        if (dynstr_realloc(str, additional))
+          return TRUE;
+        lim += additional;
+      }
      if (c == '"' || c == '\\')
      {
-        if (!lim)
-        {
-          if (dynstr_realloc(str, additional))
-            return TRUE;
-          lim= additional;
-        }
        lim--;
        str->str[str->length++]= '\\';
      }
+      lim--;
      str->str[str->length++]= c;
    }
  }