diff options
| author | Alexey Botchkov <holyfoot@askmonty.org> | 2017-10-05 23:46:25 +0400 |
|---|---|---|
| committer | Alexey Botchkov <holyfoot@askmonty.org> | 2017-10-05 23:46:25 +0400 |
| commit | f1a20ec396b1096a2afb9549ddd637de9653d099 (patch) | |
| tree | a2c4856a6affcb444caf57c9b7373a9f17444bee | |
| parent | 1f6ada8da8dbbe8c2d9e50ed0d4bd54c6f81653b (diff) | |
| download | mariadb-git-f1a20ec396b1096a2afb9549ddd637de9653d099.tar.gz | |
MDEV-12311 Insufficient check for argument validity in JSON functions.
Check validity to the end of the JSON in the json_length
function.
| -rw-r--r-- | mysql-test/r/func_json.result | 5 | ||||
| -rw-r--r-- | mysql-test/t/func_json.test | 1 | ||||
| -rw-r--r-- | sql/item_jsonfunc.cc | 9 |
3 files changed, 14 insertions, 1 deletions
diff --git a/mysql-test/r/func_json.result b/mysql-test/r/func_json.result index 3ec7f377a49..06c3b3fc2c3 100644 --- a/mysql-test/r/func_json.result +++ b/mysql-test/r/func_json.result @@ -446,6 +446,11 @@ json_length('{"a": 1, "b": {"c": 30}}', '$.b') select json_length('{"a": 1, "b": {"c": 30}}'); json_length('{"a": 1, "b": {"c": 30}}') 2 +select json_length('{}{'); +json_length('{}{') +NULL +Warnings: +Warning 4038 Syntax error in JSON text in argument 1 to function 'json_length' at position 3 create table json (j INT); show create table json; Table Create Table diff --git a/mysql-test/t/func_json.test b/mysql-test/t/func_json.test index fdb5763771e..bc20a2222df 100644 --- a/mysql-test/t/func_json.test +++ b/mysql-test/t/func_json.test @@ -180,6 +180,7 @@ select json_length('{}'); select json_length('[1, 2, {"a": 3}]'); select json_length('{"a": 1, "b": {"c": 30}}', '$.b'); select json_length('{"a": 1, "b": {"c": 30}}'); +select json_length('{}{'); create table json (j INT); show create table json; diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc index d0cde98de3d..8561e08426b 100644 --- a/sql/item_jsonfunc.cc +++ b/sql/item_jsonfunc.cc @@ -2130,6 +2130,7 @@ longlong Item_func_json_length::val_int() json_engine_t je; uint length= 0; uint array_counters[JSON_DEPTH_LIMIT]; + int err; if ((null_value= args[0]->null_value)) return 0; @@ -2171,7 +2172,7 @@ longlong Item_func_json_length::val_int() if (json_value_scalar(&je)) return 1; - while (json_scan_next(&je) == 0 && + while (!(err= json_scan_next(&je)) && je.state != JST_OBJ_END && je.state != JST_ARRAY_END) { switch (je.state) @@ -2190,6 +2191,12 @@ longlong Item_func_json_length::val_int() }; } + if (!err) + { + /* Parse to the end of the JSON just to check it's valid. */ + while (json_scan_next(&je) == 0) {} + } + if (!je.s.error) return length; |