Bug #81083 missing check_stack_overrun in json_binary::serialize_json_value
Submitted: 14 Apr 2016 13:56 Modified: 18 Aug 2016 11:13
Reporter: Tor Didriksen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: JSON Severity:S2 (Serious)
Version:5.7.13 OS:Any
Assigned to: CPU Architecture:Any

[14 Apr 2016 13:56] Tor Didriksen
Description:
There is no check for stack overrun in the json_binary functions.
Large objects may result in segfaults.

How to repeat:
./mtr --mem main.json
Built with CC: Studio 12.5 Sun C++ 5.14 SunOS_sparc

Suggested fix:
Add calls to check_stack_overrun in appropriate places.
It is better to reject a query than to segfault the server.
[18 Aug 2016 11:13] Jon Stephens
Documented fix in the MySQL 8.0.1 changelog, as follows:

    Internal tests for JSON functionality ran out of stack space on some
    platforms when run against a debug-enabled server. Because checks were
    not made for stack usage, the server did not detect this situation in
    time, leading to a server exit.

    The fix for this issue is twofold:

    1. Stack overrun checks are now made before attempting to serialize
    a nested array or object, and the operation fails gracefully
    when processing deeply nested JSON documents, rather than
    causing an exit.

    2. Serialization of JSON documents has been reorganised so that it
    requires less use of the stack when compiled without
    optimization.

Closed.