#At file:///data0/martin/bzr/bug44684/5.1bt-gca/ based on revid:gshchepa@stripped
2931 Martin Hansson 2009-06-17
Bug#44684: valgrind reports invalid reads in
Item_func_spatial_collection::val_str
When the concatenation function for geometry data collections
reads the binary data it was not rigorous in checking that there
is data available, leading to invalid reads and crashes.
Fixed by making checking stricter.
@ mysql-test/r/gis.result
Bug#44684: Test result
@ mysql-test/t/gis.test
Bug#44684: Test case
@ sql/item_geofunc.cc
Bug#44684: fix(es)
- Check that there are 4 bytes available for type code.
- Check that there is at least one point available for linestring.
- Check that there are at least 2 points in a polygon and
data for all the points.
modified:
mysql-test/r/gis.result
mysql-test/t/gis.test
sql/item_geofunc.cc
=== modified file 'mysql-test/r/gis.result'
--- a/mysql-test/r/gis.result 2009-04-29 02:59:10 +0000
+++ b/mysql-test/r/gis.result 2009-06-17 14:58:33 +0000
@@ -984,4 +984,52 @@ f4 geometry YES NULL
f5 datetime YES NULL
drop view v1;
drop table t1;
+SELECT MultiPoint(12345,'');
+MultiPoint(12345,'')
+NULL
+SELECT MultiPoint(123451,'');
+MultiPoint(123451,'')
+NULL
+SELECT MultiPoint(1234512,'');
+MultiPoint(1234512,'')
+NULL
+SELECT MultiPoint(12345123,'');
+MultiPoint(12345123,'')
+NULL
+SELECT MultiLineString(12345,'');
+MultiLineString(12345,'')
+NULL
+SELECT MultiLineString(123451,'');
+MultiLineString(123451,'')
+NULL
+SELECT MultiLineString(1234512,'');
+MultiLineString(1234512,'')
+NULL
+SELECT MultiLineString(12345123,'');
+MultiLineString(12345123,'')
+NULL
+SELECT LineString(12345,'');
+LineString(12345,'')
+NULL
+SELECT LineString(123451,'');
+LineString(123451,'')
+NULL
+SELECT LineString(1234512,'');
+LineString(1234512,'')
+NULL
+SELECT LineString(12345123,'');
+LineString(12345123,'')
+NULL
+SELECT Polygon(12345,'');
+Polygon(12345,'')
+NULL
+SELECT Polygon(123451,'');
+Polygon(123451,'')
+NULL
+SELECT Polygon(1234512,'');
+Polygon(1234512,'')
+NULL
+SELECT Polygon(12345123,'');
+Polygon(12345123,'')
+NULL
End of 5.1 tests
=== modified file 'mysql-test/t/gis.test'
--- a/mysql-test/t/gis.test 2009-04-29 02:59:10 +0000
+++ b/mysql-test/t/gis.test 2009-06-17 14:58:33 +0000
@@ -667,4 +667,28 @@ desc v1;
drop view v1;
drop table t1;
+#
+# Bug#44684: valgrind reports invalid reads in
+# Item_func_spatial_collection::val_str
+#
+SELECT MultiPoint(12345,'');
+SELECT MultiPoint(123451,'');
+SELECT MultiPoint(1234512,'');
+SELECT MultiPoint(12345123,'');
+
+SELECT MultiLineString(12345,'');
+SELECT MultiLineString(123451,'');
+SELECT MultiLineString(1234512,'');
+SELECT MultiLineString(12345123,'');
+
+SELECT LineString(12345,'');
+SELECT LineString(123451,'');
+SELECT LineString(1234512,'');
+SELECT LineString(12345123,'');
+
+SELECT Polygon(12345,'');
+SELECT Polygon(123451,'');
+SELECT Polygon(1234512,'');
+SELECT Polygon(12345123,'');
+
--echo End of 5.1 tests
=== modified file 'sql/item_geofunc.cc'
--- a/sql/item_geofunc.cc 2009-04-29 02:59:10 +0000
+++ b/sql/item_geofunc.cc 2009-06-17 14:58:33 +0000
@@ -416,7 +416,10 @@ String *Item_func_spatial_collection::va
else
{
enum Geometry::wkbType wkb_type;
- const char *data= res->ptr() + 4/*SRID*/ + 1;
+ const uint data_offset= 4/*SRID*/ + 1;
+ if (res->length() < data_offset + sizeof(uint32))
+ goto err;
+ const char *data= res->ptr() + data_offset;
/*
In the case of named collection we must check that items
@@ -439,7 +442,7 @@ String *Item_func_spatial_collection::va
break;
case Geometry::wkb_linestring:
- if (str->append(data, POINT_DATA_SIZE, 512))
+ if (len < POINT_DATA_SIZE || str->append(data, POINT_DATA_SIZE, 512))
goto err;
break;
case Geometry::wkb_polygon:
@@ -448,11 +451,15 @@ String *Item_func_spatial_collection::va
double x1, y1, x2, y2;
const char *org_data= data;
- if (len < 4 + 2 * POINT_DATA_SIZE)
+ if (len < 4)
goto err;
n_points= uint4korr(data);
data+= 4;
+
+ if (n_points < 2 || len < 4 + n_points * POINT_DATA_SIZE)
+ goto err;
+
float8get(x1, data);
data+= SIZEOF_STORED_DOUBLE;
float8get(y1, data);
Attachment: [text/bzr-bundle] bzr/mhansson@mysql.com-20090617145833-bcvtfzzk7vkgfwzx.bundle
