List:Commits« Previous MessageNext Message »
From:Ramil Kalimullin Date:August 30 2010 7:51am
Subject:bzr commit into mysql-5.1-bugteam branch (ramil:3494) Bug#51875
View as plain text  
#At file:///home/ram/mysql/b51875-5.1-bugteam/ based on revid:vasil.dimov@stripped

 3494 Ramil Kalimullin	2010-08-30
      Fix for bug #51875: crash when loading data into geometry function polyfromwkb
      
      Check for number of line strings in the incoming polygon data (wkb) and
      for number of points in the incoming linestring wkb.
     @ mysql-test/r/gis.result
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - test result.
     @ mysql-test/t/gis.test
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - test case.
     @ sql/spatial.cc
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - creating a polygon from wkb check for number of line strings,
          - creating a linestring from wkb check for number of line points.

    modified:
      mysql-test/r/gis.result
      mysql-test/t/gis.test
      sql/spatial.cc
=== modified file 'mysql-test/r/gis.result'
--- a/mysql-test/r/gis.result	2010-02-26 13:16:46 +0000
+++ b/mysql-test/r/gis.result	2010-08-30 07:51:46 +0000
@@ -1057,4 +1057,11 @@ NULL
 SELECT Polygon(12345123,'');
 Polygon(12345123,'')
 NULL
+#
+# BUG#51875: crash when loading data into geometry function polyfromwkb
+#
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
 End of 5.1 tests

=== modified file 'mysql-test/t/gis.test'
--- a/mysql-test/t/gis.test	2010-02-26 13:16:46 +0000
+++ b/mysql-test/t/gis.test	2010-08-30 07:51:46 +0000
@@ -722,4 +722,14 @@ SELECT Polygon(123451,'');
 SELECT Polygon(1234512,'');
 SELECT Polygon(12345123,'');
 
+
+--echo #
+--echo # BUG#51875: crash when loading data into geometry function polyfromwkb
+--echo #
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+
+
 --echo End of 5.1 tests

=== modified file 'sql/spatial.cc'
--- a/sql/spatial.cc	2010-07-20 18:07:36 +0000
+++ b/sql/spatial.cc	2010-08-30 07:51:46 +0000
@@ -528,7 +528,7 @@ uint Gis_line_string::init_from_wkb(cons
   n_points= wkb_get_uint(wkb, bo);
   proper_length= 4 + n_points * POINT_DATA_SIZE;
 
-  if (len < proper_length || res->reserve(proper_length))
+  if (!n_points || len < proper_length || res->reserve(proper_length))
     return 0;
 
   res->q_append(n_points);
@@ -746,7 +746,9 @@ uint Gis_polygon::init_from_wkb(const ch
   if (len < 4)
     return 0;
 
-  n_linear_rings= wkb_get_uint(wkb, bo);
+  if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
+    return 0;
+
   if (res->reserve(4, 512))
     return 0;
   wkb+= 4;


Attachment: [text/bzr-bundle] bzr/ramil@mysql.com-20100830075146-xa2xcka0hpvt6mp1.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (ramil:3494) Bug#51875Ramil Kalimullin30 Aug