From 1232fca39b5e2f7bf93c8506b540ad592ddff6a8 Mon Sep 17 00:00:00 2001 From: Varun Deep Saini Date: Fri, 6 Mar 2026 21:57:30 +0530 Subject: [PATCH] MDEV-35548: Fix out-of-bounds array access in json_get_path_start json_get_path_start() set p->last_step to p->steps - 1, creating a pointer before the beginning of the steps[] array. This is undefined behavior flagged by UBSAN as "index -1 out of bounds for type json_path_step_t[32]". Use NULL as the sentinel value instead, and check for NULL in json_get_path_next() rather than comparing against p->steps. Signed-off-by: Varun Deep Saini --- mysql-test/main/func_json.result | 8 ++++++++ mysql-test/main/func_json.test | 4 ++++ strings/json_lib.c | 4 ++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/mysql-test/main/func_json.result b/mysql-test/main/func_json.result index a000cfbeefe90..1c1889f847d31 100644 --- a/mysql-test/main/func_json.result +++ b/mysql-test/main/func_json.result @@ -1773,6 +1773,14 @@ null<=>json_extract('1',json_object(null,'{ }',null,null),'{}') 1 Warnings: Warning 4042 Syntax error in JSON path in argument 2 to function 'json_extract' at position 1 +SELECT JSON_EXTRACT('{a:true}','$.a')=TRUE; +JSON_EXTRACT('{a:true}','$.a')=TRUE +NULL +Warnings: +Warning 4038 Syntax error in JSON text in argument 1 to function 'json_extract' at position 2 +SELECT JSON_EXTRACT('0E+0','$'); +JSON_EXTRACT('0E+0','$') +0E+0 # # End of 10.6 tests # diff --git a/mysql-test/main/func_json.test b/mysql-test/main/func_json.test index da22d719a8d3a..c3f6d2e551d82 100644 --- a/mysql-test/main/func_json.test +++ b/mysql-test/main/func_json.test @@ -1239,6 +1239,10 @@ FROM JSON_TABLE (@data, '$[*]' COLUMNS (data text PATH '$.Data')) AS t; select null<=>json_extract('1',json_object(null,'{ }',null,null),'{}'); + +SELECT JSON_EXTRACT('{a:true}','$.a')=TRUE; +SELECT JSON_EXTRACT('0E+0','$'); + --echo # --echo # End of 10.6 tests --echo # diff --git a/strings/json_lib.c b/strings/json_lib.c index 5f55a83c9d4f9..28c341ecf171a 100644 --- a/strings/json_lib.c +++ b/strings/json_lib.c @@ -1701,14 +1701,14 @@ int json_get_path_start(json_engine_t *je, CHARSET_INFO *i_cs, json_path_t *p) { json_scan_start(je, i_cs, str, end); - p->last_step= p->steps - 1; + p->last_step= NULL; return 0; } int json_get_path_next(json_engine_t *je, json_path_t *p) { - if (p->last_step < p->steps) + if (p->last_step == NULL) { if (json_read_value(je)) return 1;