MDEV-12311 Insufficient check for argument validity in JSON functions.

Check validity to the end of the JSON in the json_length function.
author: Alexey Botchkov <holyfoot@askmonty.org> 2017-10-05 23:46:25 +0400
committer: Alexey Botchkov <holyfoot@askmonty.org> 2017-10-05 23:46:25 +0400
commit: f1a20ec396b1096a2afb9549ddd637de9653d099 (patch)
tree: a2c4856a6affcb444caf57c9b7373a9f17444bee /sql/item_jsonfunc.cc
parent: 1f6ada8da8dbbe8c2d9e50ed0d4bd54c6f81653b (diff)
download: mariadb-git-f1a20ec396b1096a2afb9549ddd637de9653d099.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
index d0cde98de3d..8561e08426b 100644
--- a/sql/item_jsonfunc.cc
+++ b/sql/item_jsonfunc.cc
@@ -2130,6 +2130,7 @@ longlong Item_func_json_length::val_int()
   json_engine_t je;
   uint length= 0;
   uint array_counters[JSON_DEPTH_LIMIT];
+  int err;
 
   if ((null_value= args[0]->null_value))
     return 0;
@@ -2171,7 +2172,7 @@ longlong Item_func_json_length::val_int()
   if (json_value_scalar(&je))
     return 1;
 
-  while (json_scan_next(&je) == 0 &&
+  while (!(err= json_scan_next(&je)) &&
          je.state != JST_OBJ_END && je.state != JST_ARRAY_END)
   {
     switch (je.state)
@@ -2190,6 +2191,12 @@ longlong Item_func_json_length::val_int()
     };
   }
 
+  if (!err)
+  {
+    /* Parse to the end of the JSON just to check it's valid. */
+    while (json_scan_next(&je) == 0) {}
+  }
+
   if (!je.s.error)
     return length;
author	Alexey Botchkov <holyfoot@askmonty.org>	2017-10-05 23:46:25 +0400
committer	Alexey Botchkov <holyfoot@askmonty.org>	2017-10-05 23:46:25 +0400
commit	f1a20ec396b1096a2afb9549ddd637de9653d099 (patch)
tree	a2c4856a6affcb444caf57c9b7373a9f17444bee /sql/item_jsonfunc.cc
parent	1f6ada8da8dbbe8c2d9e50ed0d4bd54c6f81653b (diff)
download	mariadb-git-f1a20ec396b1096a2afb9549ddd637de9653d099.tar.gz