[Commits] Rev 3682: TODO-424 geometry query crashes server. in file:///home/hf/wmar/todo-424/

holyfoot at askmonty.org holyfoot at askmonty.org
Tue Mar 5 23:54:01 EET 2013


At file:///home/hf/wmar/todo-424/

------------------------------------------------------------
revno: 3682
revision-id: holyfoot at askmonty.org-20130305214525-2lgv24a11bmeu6iq
parent: monty at askmonty.org-20130305181536-uvvo9gls2oi3nq7a
committer: Alexey Botchkov <holyfoot at askmonty.org>
branch nick: todo-424
timestamp: Wed 2013-03-06 01:45:25 +0400
message:
  TODO-424 geometry query crashes server.
          The bug was found by Alyssa Milburn.
          If the number of points of a geometry feature read from
          binary representation is greater than 0x10000000, then
          the (uint32) (num_points * 16) will cut the higher byte,
          which leads to various errors.
          Fixed by additional check if (num_points > max_n_points).
-------------- next part --------------
=== modified file 'mysql-test/r/gis.result'
--- a/mysql-test/r/gis.result	2013-02-20 21:03:45 +0000
+++ b/mysql-test/r/gis.result	2013-03-05 21:45:25 +0000
@@ -1498,4 +1498,19 @@ create table t1 (pt point);
 insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))'));
 ERROR 22007: Incorrect POINT value: 'POLYGON' for column 'pt' at row 1
 drop table t1;
+#
+# TODO-424 geometry query crashes server
+#
+select astext(0x0100000000030000000100000000000010);
+astext(0x0100000000030000000100000000000010)
+NULL
+select st_area(0x0100000000030000000100000000000010);
+st_area(0x0100000000030000000100000000000010)
+NULL
+select astext(st_exteriorring(0x0100000000030000000100000000000010));
+astext(st_exteriorring(0x0100000000030000000100000000000010))
+NULL
+select astext(st_centroid(0x0100000000030000000100000000000010));
+astext(st_centroid(0x0100000000030000000100000000000010))
+NULL
 End of 5.5 tests

=== modified file 'mysql-test/t/gis.test'
--- a/mysql-test/t/gis.test	2013-02-20 21:03:45 +0000
+++ b/mysql-test/t/gis.test	2013-03-05 21:45:25 +0000
@@ -1367,4 +1367,11 @@ create table t1 (pt point);
 insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))'));
 drop table t1;
 
+--echo #
+--echo # TODO-424 geometry query crashes server
+--echo #
+select astext(0x0100000000030000000100000000000010);
+select st_area(0x0100000000030000000100000000000010);
+select astext(st_exteriorring(0x0100000000030000000100000000000010));
+select astext(st_centroid(0x0100000000030000000100000000000010));
 --echo End of 5.5 tests

=== modified file 'sql/spatial.cc'
--- a/sql/spatial.cc	2012-11-22 09:19:31 +0000
+++ b/sql/spatial.cc	2013-03-05 21:45:25 +0000
@@ -631,7 +631,7 @@ bool Gis_line_string::get_data_as_wkt(St
   n_points= uint4korr(data);
   data += 4;
 
-  if (n_points < 1 ||
+  if (n_points < 1 || n_points > max_n_points ||
       no_data(data, POINT_DATA_SIZE * n_points) ||
       txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)*2 + 1) * n_points))
     return 1;
@@ -669,7 +669,8 @@ int Gis_line_string::geom_length(double 
     return 1;
   n_points= uint4korr(data);
   data+= 4;
-  if (n_points < 1 || no_data(data, POINT_DATA_SIZE * n_points))
+  if (n_points < 1 || n_points > max_n_points ||
+      no_data(data, POINT_DATA_SIZE * n_points))
     return 1;
 
   get_point(&prev_x, &prev_y, data);
@@ -717,7 +718,7 @@ int Gis_line_string::is_closed(int *clos
     return 0;
   }
   data+= 4;
-  if (n_points == 0 ||
+  if (n_points == 0 || n_points > max_n_points ||
       no_data(data, POINT_DATA_SIZE * n_points))
     return 1;
 
@@ -782,7 +783,8 @@ int Gis_line_string::store_shapes(Gcalc_
     return 1;
   n_points= uint4korr(data);
   data+= 4;
-  if (n_points < 1 || no_data(data, POINT_DATA_SIZE * n_points))
+  if (n_points < 1 ||  n_points > max_n_points ||
+      no_data(data, POINT_DATA_SIZE * n_points))
     return 1;
 
   trn->start_line();
@@ -966,7 +968,7 @@ bool Gis_polygon::get_data_as_wkt(String
       return 1;
     n_points= uint4korr(data);
     data+= 4;
-    if (no_data(data, POINT_DATA_SIZE * n_points) ||
+    if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points) ||
         txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
       return 1;
     txt->qs_append('(');
@@ -1020,7 +1022,7 @@ int Gis_polygon::area(double *ar, const 
     if (no_data(data, 4))
       return 1;
     n_points= uint4korr(data);
-    if (no_data(data, POINT_DATA_SIZE * n_points))
+    if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points))
       return 1;
     get_point(&prev_x, &prev_y, data+4);
     data+= (4+POINT_DATA_SIZE);
@@ -1056,7 +1058,8 @@ int Gis_polygon::exterior_ring(String *r
   n_points= uint4korr(data);
   data+= 4;
   length= n_points * POINT_DATA_SIZE;
-  if (no_data(data, length) || result->reserve(1 + 4 + 4 + length))
+  if (n_points > max_n_points ||
+      no_data(data, length) || result->reserve(1 + 4 + 4 + length))
     return 1;
 
   result->q_append((char) wkb_ndr);
@@ -1102,7 +1105,8 @@ int Gis_polygon::interior_ring_n(uint32 
   n_points= uint4korr(data);
   points_size= n_points * POINT_DATA_SIZE;
   data+= 4;
-  if (no_data(data, points_size) || result->reserve(1 + 4 + 4 + points_size))
+  if (n_points > max_n_points ||
+      no_data(data, points_size) || result->reserve(1 + 4 + 4 + points_size))
     return 1;
 
   result->q_append((char) wkb_ndr);
@@ -1141,7 +1145,7 @@ int Gis_polygon::centroid_xy(double *x, 
       return 1;
     org_n_points= n_points= uint4korr(data);
     data+= 4;
-    if (no_data(data, POINT_DATA_SIZE * n_points))
+    if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points))
       return 1;
     get_point(&prev_x, &prev_y, data);
     data+= POINT_DATA_SIZE;
@@ -1215,7 +1219,8 @@ int Gis_polygon::store_shapes(Gcalc_shap
       return 1;
     n_points= uint4korr(data);
     data+= 4;
-    if (!n_points || no_data(data, POINT_DATA_SIZE * n_points))
+    if (!n_points || n_points > max_n_points ||
+        no_data(data, POINT_DATA_SIZE * n_points))
       return 1;
 
     trn->start_ring();
@@ -1583,7 +1588,7 @@ bool Gis_multi_line_string::get_data_as_
       return 1;
     n_points= uint4korr(data + WKB_HEADER_SIZE);
     data+= WKB_HEADER_SIZE + 4;
-    if (no_data(data, n_points * POINT_DATA_SIZE) ||
+    if (n_points > max_n_points || no_data(data, n_points * POINT_DATA_SIZE) ||
         txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
       return 1;
     txt->qs_append('(');
@@ -1905,7 +1910,8 @@ bool Gis_multi_polygon::get_data_as_wkt(
         return 1;
       uint32 n_points= uint4korr(data);
       data+= 4;
-      if (no_data(data, POINT_DATA_SIZE * n_points) ||
+      if (n_points > max_n_points ||
+          no_data(data, POINT_DATA_SIZE * n_points) ||
           txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points,
                        512))
         return 1;
@@ -1988,6 +1994,8 @@ int Gis_multi_polygon::geometry_n(uint32
       if (no_data(data, 4))
         return 1;
       n_points= uint4korr(data);
+      if (n_points > max_n_points)
+        return 1;
       data+= 4 + POINT_DATA_SIZE * n_points;
     }
   } while (--num);

=== modified file 'sql/spatial.h'
--- a/sql/spatial.h	2012-11-22 09:19:31 +0000
+++ b/sql/spatial.h	2013-03-05 21:45:25 +0000
@@ -210,6 +210,11 @@ struct Geometry_buffer;
 class Geometry
 {
 public:
+  // Maximum number of points in feature that can fit into String
+  static const uint32 max_n_points=
+    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    POINT_DATA_SIZE;
+
   Geometry() {}                               /* Remove gcc warning */
   virtual ~Geometry() {}                        /* Remove gcc warning */
   static void *operator new(size_t size, void *buffer)
@@ -391,10 +396,6 @@ class Gis_point: public Geometry
 
 class Gis_line_string: public Geometry
 {
-  // Maximum number of points in LineString that can fit into String
-  static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
-    POINT_DATA_SIZE;
 public:
   Gis_line_string() {}                        /* Remove gcc warning */
   virtual ~Gis_line_string() {}               /* Remove gcc warning */



More information about the commits mailing list