From 6ab9b7fde5f6a3953188238d92e15d32e5dfdbf9 Mon Sep 17 00:00:00 2001
From: Abhishek Bansal <abhibansal593@gmail.com>
Date: Thu, 5 Mar 2026 01:38:02 +0530
Subject: [PATCH] MDEV-38264: Fix failed assertion in json_find_path with
 trailing commas

The function json_skip_array_and_count() was trapping syntax errors
(e.g., trailing commas) in a local engine copy. Because the error state
wasn't propagated back to the main engine, json_find_path() would
proceed with an inconsistent state, eventually triggering an assertion
failure.

This patch ensures that any error encountered during the lookahead
scan is propagated to the primary engine. This allows the parser to
fail gracefully with a syntax error instead of crashing.
---
 mysql-test/main/func_json.result | 24 ++++++++++++++++++++++++
 mysql-test/main/func_json.test   | 12 ++++++++++++
 strings/json_lib.c               |  6 +++++-
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result
index 46efc9003f14f..4ba8eda27b6b1 100644
--- a/mysql-test/main/func_json.result
+++ b/mysql-test/main/func_json.result
@@ -2770,4 +2770,28 @@ S1A1
 SELECT JSON_VALUE('{"a":[1,2]}', '$.a[*]');
 JSON_VALUE('{"a":[1,2]}', '$.a[*]')
 NULL
+#
+# MDEV-38264 Assertion in json_find_path() fails after computing
+# array size of invalid json structure
+#
+SELECT JSON_QUERY('{ "A": [0,] }', '$.A[-1]');
+JSON_QUERY('{ "A": [0,] }', '$.A[-1]')
+NULL
+SELECT JSON_VALUE('{ "A": [0,] }', '$.A[-1]');
+JSON_VALUE('{ "A": [0,] }', '$.A[-1]')
+NULL
+SELECT JSON_VALUE('{ "A": [5,] }', '$.A[-2]');
+JSON_VALUE('{ "A": [5,] }', '$.A[-2]')
+NULL
+SELECT JSON_VALUE('{ "A": [5] }', '$.A[-2]');
+JSON_VALUE('{ "A": [5] }', '$.A[-2]')
+NULL
+SELECT JSON_LENGTH('{ "A": [0,] }', '$.A');
+JSON_LENGTH('{ "A": [0,] }', '$.A')
+NULL
+Warnings:
+Warning	4038	Syntax error in JSON text in argument 1 to function 'json_length' at position 11
+SELECT JSON_VALID('{ "A": [0,] }');
+JSON_VALID('{ "A": [0,] }')
+0
 # End of 10.11 Test
diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test
index b826f66ed85d0..dc10bc6a33439 100644
--- a/mysql-test/main/func_json.test
+++ b/mysql-test/main/func_json.test
@@ -2032,4 +2032,16 @@ COLUMNS(NAME VARCHAR(30) PATH '$.NAME')) AS t_sz;
 
 SELECT JSON_VALUE('{"a":[1,2]}', '$.a[*]');
 
+--echo #
+--echo # MDEV-38264 Assertion in json_find_path() fails after computing
+--echo # array size of invalid json structure
+--echo #
+
+SELECT JSON_QUERY('{ "A": [0,] }', '$.A[-1]');
+SELECT JSON_VALUE('{ "A": [0,] }', '$.A[-1]');
+SELECT JSON_VALUE('{ "A": [5,] }', '$.A[-2]');
+SELECT JSON_VALUE('{ "A": [5] }', '$.A[-2]');
+SELECT JSON_LENGTH('{ "A": [0,] }', '$.A');
+SELECT JSON_VALID('{ "A": [0,] }');
+
 --echo # End of 10.11 Test
diff --git a/strings/json_lib.c b/strings/json_lib.c
index 35efc8f669f22..2f69cc511aee8 100644
--- a/strings/json_lib.c
+++ b/strings/json_lib.c
@@ -1306,9 +1306,13 @@ int json_skip_level_and_count(json_engine_t *j, int *n_items_skipped)
 int json_skip_array_and_count(json_engine_t *je, int *n_items)
 {
   json_engine_t j= *je;
+  int res;
   *n_items= 0;
 
-  return json_skip_level_and_count(&j, n_items); 
+  res= json_skip_level_and_count(&j, n_items);
+  if (res)
+    je->s.error= j.s.error;
+  return res;
 }