[MDEV-32963] UBSAN: signed integer overflow: X + Y cannot be represented in type 'int' in strings/json_lib.c Created: 2023-12-07  Updated: 2023-12-11

Status: Open
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.9, 10.10, 10.11, 11.1, 11.2, 11.3
Fix Version/s: 11.1, 11.2, 11.3

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: None


 Description    

SELECT ST_ASGEOJSON(ST_GEOMFROMTEXT("POINT(1 11)",13),2147483647);
 
SELECT JSON_INSERT('{ "a" : "foo","b" : [ 1,2,3 ] }','$.a[1]',true);

Leads to:

10.10.7 04d9a46c41b36b61057741abddf7840962e76893 (Optimized)

 
/test/10.10_opt_san/strings/json_lib.c:1456:69: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'

10.10.7 04d9a46c41b36b61057741abddf7840962e76893 (Optimized)

 
    #0 0x5621389bd06d in json_find_path /test/10.10_opt_san/strings/json_lib.c:1456
 
    #1 0x5621356bb8f7 in Item_func_json_insert::val_str(String*) /test/10.10_opt_san/sql/item_jsonfunc.cc:3177
 
    #2 0x56213588284d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.10_opt_san/sql/sql_type.cc:7469
 
    #3 0x56213440e381 in Protocol::send_result_set_row(List<Item>*) /test/10.10_opt_san/sql/protocol.cc:1334
 
    #4 0x562134788e29 in select_send::send_data(List<Item>&) /test/10.10_opt_san/sql/sql_class.cc:3135
 
    #5 0x562134e9eeb7 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.10_opt_san/sql/sql_class.h:5818
 
    #6 0x562134e9eeb7 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.10_opt_san/sql/sql_class.h:5808
 
    #7 0x562134e9eeb7 in JOIN::exec_inner() /test/10.10_opt_san/sql/sql_select.cc:4751
 
    #8 0x562134ea3279 in JOIN::exec() /test/10.10_opt_san/sql/sql_select.cc:4663
 
    #9 0x562134e914e1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.10_opt_san/sql/sql_select.cc:5143
 
    #10 0x562134e950b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.10_opt_san/sql/sql_select.cc:588
 
    #11 0x562134a82e4f in execute_sqlcom_select /test/10.10_opt_san/sql/sql_parse.cc:6289
 
    #12 0x562134ad3d14 in mysql_execute_command(THD*, bool) /test/10.10_opt_san/sql/sql_parse.cc:3960
 
    #13 0x562134a53100 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.10_opt_san/sql/sql_parse.cc:8055
 
    #14 0x562134aa8520 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.10_opt_san/sql/sql_parse.cc:1894
 
    #15 0x562134ab3d5d in do_command(THD*, bool) /test/10.10_opt_san/sql/sql_parse.cc:1407
 
    #16 0x5621353d18ed in do_handle_one_connection(CONNECT*, bool) /test/10.10_opt_san/sql/sql_connect.cc:1416
 
    #17 0x5621353d3f5c in handle_one_connection /test/10.10_opt_san/sql/sql_connect.cc:1318
 
    #18 0x14558695c608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #19 0x145585bd1132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
grep: /test/UBASAN_MD071223-mariadb-10.10.7-linux-x86_64-dbg/log/master.err: No such file or directory

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.9.8 (opt), 10.10.7 (opt), 10.11.6 (opt), 11.1.3 (opt), 11.2.2 (opt), 11.3.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.32 (dbg), 10.4.32 (opt), 10.5.23 (dbg), 10.5.23 (opt), 10.6.16 (dbg), 10.6.16 (opt), 10.9.8 (dbg), 10.10.7 (dbg), 10.11.6 (dbg), 11.0.4 (dbg), 11.0.4 (opt), 11.1.3 (dbg), 11.2.2 (dbg), 11.3.0 (dbg)
Generated at Thu Feb 08 10:35:21 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.