MDEV-28762: recursive call of some json functions without stack control

Analysis: Some recursive json functions dont check for stack control Fix: Add check_stack_overrun(). The last argument is NULL because it is not used
author: Rucha Deodhar <rucha.deodhar@mariadb.com> 2022-06-21 14:58:34 +0530
committer: Rucha Deodhar <rucha.deodhar@mariadb.com> 2022-07-20 19:24:48 +0530
commit: dbe39f14fede0f5fbe0ce7470ae4fde21767842c (patch)
tree: 46ee8c3b4af3a20aee53b1a58cefb1193244f2df /sql/item_jsonfunc.cc
parent: 1848804840f5595f982c4cd502ba2112f6dd7911 (diff)
download: mariadb-git-dbe39f14fede0f5fbe0ce7470ae4fde21767842c.tar.gz
1 files changed, 121 insertions, 0 deletions
diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
index 51e8825aca8..ff6013d5eb6 100644
--- a/sql/item_jsonfunc.cc
+++ b/sql/item_jsonfunc.cc
@@ -18,6 +18,7 @@
 #include "sql_priv.h"
 #include "sql_class.h"
 #include "item.h"
+#include "sql_parse.h" // For check_stack_overrun
 
 
 /*
@@ -128,6 +129,110 @@ static int append_tab(String *js, int depth, int tab_size)
   return 0;
 }
 
+int json_path_parts_compare(
+    const json_path_step_t *a, const json_path_step_t *a_end,
+    const json_path_step_t *b, const json_path_step_t *b_end,
+    enum json_value_types vt)
+{
+  int res, res2;
+
+  DBUG_EXECUTE_IF("json_check_min_stack_requirement",
+                  {alloca(my_thread_stack_size-(STACK_MIN_SIZE));});
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+    return 1;
+  while (a <= a_end)
+  {
+    if (b > b_end)
+    {
+      while (vt != JSON_VALUE_ARRAY &&
+             (a->type & JSON_PATH_ARRAY_WILD) == JSON_PATH_ARRAY &&
+             a->n_item == 0)
+      {
+        if (++a > a_end)
+          return 0;
+      }
+      return -2;
+    }
+
+    DBUG_ASSERT((b->type & (JSON_PATH_WILD | JSON_PATH_DOUBLE_WILD)) == 0);
+
+
+    if (a->type & JSON_PATH_ARRAY)
+    {
+      if (b->type & JSON_PATH_ARRAY)
+      {
+        if ((a->type & JSON_PATH_WILD) || a->n_item == b->n_item)
+          goto step_fits;
+        goto step_failed;
+      }
+      if ((a->type & JSON_PATH_WILD) == 0 && a->n_item == 0)
+        goto step_fits_autowrap;
+      goto step_failed;
+    }
+    else /* JSON_PATH_KEY */
+    {
+      if (!(b->type & JSON_PATH_KEY))
+        goto step_failed;
+
+      if (!(a->type & JSON_PATH_WILD) &&
+          (a->key_end - a->key != b->key_end - b->key ||
+           memcmp(a->key, b->key, a->key_end - a->key) != 0))
+        goto step_failed;
+
+      goto step_fits;
+    }
+step_failed:
+    if (!(a->type & JSON_PATH_DOUBLE_WILD))
+      return -1;
+    b++;
+    continue;
+
+step_fits:
+    b++;
+    if (!(a->type & JSON_PATH_DOUBLE_WILD))
+    {
+      a++;
+      continue;
+    }
+
+    /* Double wild handling needs recursions. */
+    res= json_path_parts_compare(a+1, a_end, b, b_end, vt);
+    if (res == 0)
+      return 0;
+
+    res2= json_path_parts_compare(a, a_end, b, b_end, vt);
+
+    return (res2 >= 0) ? res2 : res;
+
+step_fits_autowrap:
+    if (!(a->type & JSON_PATH_DOUBLE_WILD))
+    {
+      a++;
+      continue;
+    }
+
+    /* Double wild handling needs recursions. */
+    res= json_path_parts_compare(a+1, a_end, b+1, b_end, vt);
+    if (res == 0)
+      return 0;
+
+    res2= json_path_parts_compare(a, a_end, b+1, b_end, vt);
+
+    return (res2 >= 0) ? res2 : res;
+
+  }
+
+  return b <= b_end;
+}
+
+
+int json_path_compare(const json_path_t *a, const json_path_t *b,
+                      enum json_value_types vt)
+{
+  return json_path_parts_compare(a->steps+1, a->last_step,
+                                 b->steps+1, b->last_step, vt);
+}
+
 
 static int json_nice(json_engine_t *je, String *nice_js,
                      Item_func_json_format::formats mode, int tab_size=4)
@@ -1031,6 +1136,11 @@ static int check_contains(json_engine_t *js, json_engine_t *value)
   json_engine_t loc_js;
   bool set_js;
 
+  DBUG_EXECUTE_IF("json_check_min_stack_requirement",
+                  {alloca(my_thread_stack_size-(STACK_MIN_SIZE));});
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+   return 0;
+
   switch (js->value_type)
   {
   case JSON_VALUE_OBJECT:
@@ -1919,6 +2029,12 @@ err_return:
 
 static int do_merge(String *str, json_engine_t *je1, json_engine_t *je2)
 {
+
+  DBUG_EXECUTE_IF("json_check_min_stack_requirement",
+                  {alloca(my_thread_stack_size-(STACK_MIN_SIZE));});
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+   return 1;
+
   if (json_read_value(je1) || json_read_value(je2))
     return 1;
 
@@ -2251,6 +2367,11 @@ static int copy_value_patch(String *str, json_engine_t *je)
 static int do_merge_patch(String *str, json_engine_t *je1, json_engine_t *je2,
                           bool *empty_result)
 {
+  DBUG_EXECUTE_IF("json_check_min_stack_requirement",
+                  {alloca(my_thread_stack_size-(STACK_MIN_SIZE));});
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+    return 1;
+
   if (json_read_value(je1) || json_read_value(je2))
     return 1;
author	Rucha Deodhar <rucha.deodhar@mariadb.com>	2022-06-21 14:58:34 +0530
committer	Rucha Deodhar <rucha.deodhar@mariadb.com>	2022-07-20 19:24:48 +0530
commit	dbe39f14fede0f5fbe0ce7470ae4fde21767842c (patch)
tree	46ee8c3b4af3a20aee53b1a58cefb1193244f2df /sql/item_jsonfunc.cc
parent	1848804840f5595f982c4cd502ba2112f6dd7911 (diff)
download	mariadb-git-dbe39f14fede0f5fbe0ce7470ae4fde21767842c.tar.gz