MDEV-35548: Fix out-of-bounds array access in json_get_path_start

json_get_path_start() set p->last_step to p->steps - 1, creating a
pointer before the beginning of the steps[] array. This is undefined
behavior flagged by UBSAN as "index -1 out of bounds for type
json_path_step_t[32]".

Use NULL as the sentinel value instead, and check for NULL in
json_get_path_next() rather than comparing against p->steps.

Signed-off-by: Varun Deep Saini <varun.23bcs10048@ms.sst.scaler.com>

Author: Varun Deep Saini

mysql-test/main/func_json.result

@@ -1773,6 +1773,14 @@ null<=>json_extract('1',json_object(null,'{ }',null,null),'{}')
 1
 Warnings:
 Warning	4042	Syntax error in JSON path in argument 2 to function 'json_extract' at position 1
+SELECT JSON_EXTRACT('{a:true}','$.a')=TRUE;
+JSON_EXTRACT('{a:true}','$.a')=TRUE
+NULL
+Warnings:
+Warning	4038	Syntax error in JSON text in argument 1 to function 'json_extract' at position 2
+SELECT JSON_EXTRACT('0E+0','$');
+JSON_EXTRACT('0E+0','$')
+0E+0
 #
 # End of 10.6 tests
 #

mysql-test/main/func_json.test

@@ -1239,6 +1239,10 @@ FROM JSON_TABLE (@data, '$[*]' COLUMNS (data text PATH '$.Data')) AS t;
 select null<=>json_extract('1',json_object(null,'{ }',null,null),'{}');
 
 
+
+SELECT JSON_EXTRACT('{a:true}','$.a')=TRUE;
+SELECT JSON_EXTRACT('0E+0','$');
+
 --echo #
 --echo # End of 10.6 tests
 --echo #

strings/json_lib.c

@@ -1701,14 +1701,14 @@ int json_get_path_start(json_engine_t *je, CHARSET_INFO *i_cs,
                         json_path_t *p)
 {
   json_scan_start(je, i_cs, str, end);
-  p->last_step= p->steps - 1; 
+  p->last_step= NULL;
   return 0;
 }
 
 
 int json_get_path_next(json_engine_t *je, json_path_t *p)
 {
-  if (p->last_step < p->steps)
+  if (p->last_step == NULL)
   {
     if (json_read_value(je))
       return 1;