| Bug #78979 | Incorrect length check in Field_json::store_binary() | ||
|---|---|---|---|
| Submitted: | 27 Oct 2015 13:19 | Modified: | 30 Oct 2015 12:24 |
| Reporter: | Knut Anders Hatlen | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: JSON | Severity: | S3 (Non-critical) |
| Version: | 5.7.9 | OS: | Any |
| Assigned to: | Knut Anders Hatlen | CPU Architecture: | Any |
[30 Oct 2015 12:24]
Jon Stephens
Fixed in MySQL 5.7.10. No user-facing changes to document. Closed.
Description: Field_json::store_binary() has this piece of code: if (value.length() > UINT_MAX32) { /* purecov: begin inspected */ my_error(ER_JSON_VALUE_TOO_BIG, MYF(0)); return TYPE_ERR_BAD_VALUE; /* purecov: end */ } return Field_blob::store(ptr, length, field_charset); The length check should check the length argument instead of value.length(). It doesn't make a big difference in practice, since max_allowed_packet effectively restricts the size of JSON documents to 1/4 of UINT_MAX32, and also most callers of store_binary() pass value.length() as the length argument. Should be fixed, though. How to repeat: N/A Suggested fix: Change "if (value.length() > UINT_MAX32)" to "if (length > UINT_MAX32)".