[Commits] Rev 3190: MDEV-4252 geometry query crashes server. in file:///home/hf/wmar/51-mdev-4252/

holyfoot at askmonty.org holyfoot at askmonty.org
Mon Mar 18 16:06:08 EET 2013


At file:///home/hf/wmar/51-mdev-4252/

------------------------------------------------------------
revno: 3190
revision-id: holyfoot at askmonty.org-20130318135800-of22xm9k8wsic8sp
parent: sergii at pisem.net-20130318093503-eacexdyv4e3ama0i
committer: Alexey Botchkov <holyfoot at askmonty.org>
branch nick: 51-mdev-4252
timestamp: Mon 2013-03-18 17:58:00 +0400
message:
  MDEV-4252 geometry query crashes server.
      Additional fixes for possible overflows in length-related
      calculations in 'spatial' implementations.
      Checks added to the ::get_data_size() methods.
      max_n_points decreased to occupy less 2G size. An
      object of that size is practically inoperable anyway.
-------------- next part --------------
=== modified file 'mysql-test/r/gis.result'
--- a/mysql-test/r/gis.result	2013-03-10 19:08:05 +0000
+++ b/mysql-test/r/gis.result	2013-03-18 13:58:00 +0000
@@ -1087,7 +1087,19 @@ NULL
 #
 SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
 ERROR 22007: Illegal non geometric '' value found during parsing
+#
+# MDEV-4252 geometry query crashes server
+#
 select astext(0x0100000000030000000100000000000010);
 astext(0x0100000000030000000100000000000010)
 NULL
+select envelope(0x0100000000030000000100000000000010);
+envelope(0x0100000000030000000100000000000010)
+NULL
+select geometryn(0x0100000000070000000100000001030000000200000000000000ffff0000, 1);
+geometryn(0x0100000000070000000100000001030000000200000000000000ffff0000, 1)
+NULL
+select geometryn(0x0100000000070000000100000001030000000200000000000000ffffff0f, 1);
+geometryn(0x0100000000070000000100000001030000000200000000000000ffffff0f, 1)
+NULL
 End of 5.1 tests

=== modified file 'mysql-test/t/gis.test'
--- a/mysql-test/t/gis.test	2013-03-10 19:08:05 +0000
+++ b/mysql-test/t/gis.test	2013-03-18 13:58:00 +0000
@@ -826,6 +826,12 @@ SELECT ISCLOSED(CONVERT(CONCAT('     ', 
 --error ER_ILLEGAL_VALUE_FOR_TYPE
 SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
 
+--echo #
+--echo # MDEV-4252 geometry query crashes server
+--echo #
 select astext(0x0100000000030000000100000000000010);
+select envelope(0x0100000000030000000100000000000010);
+select geometryn(0x0100000000070000000100000001030000000200000000000000ffff0000, 1);
+select geometryn(0x0100000000070000000100000001030000000200000000000000ffffff0f, 1);
 
 --echo End of 5.1 tests

=== modified file 'sql/spatial.cc'
--- a/sql/spatial.cc	2013-03-10 19:08:05 +0000
+++ b/sql/spatial.cc	2013-03-18 13:58:00 +0000
@@ -394,18 +394,19 @@ const char *Geometry::append_points(Stri
 const char *Geometry::get_mbr_for_points(MBR *mbr, const char *data,
                                          uint offset) const
 {
-  uint32 points;
+  uint32 n_points;
   /* read number of points */
   if (no_data(data, 4))
     return 0;
-  points= uint4korr(data);
+  n_points= uint4korr(data);
   data+= 4;
 
-  if (no_data(data, (SIZEOF_STORED_DOUBLE * 2 + offset) * points))
+  if (n_points > max_n_points ||
+      no_data(data, (POINT_DATA_SIZE + offset) * n_points))
     return 0;
 
   /* Calculate MBR for points */
-  while (points--)
+  while (n_points--)
   {
     data+= offset;
     mbr->add_xy(data, data + SIZEOF_STORED_DOUBLE);
@@ -484,9 +485,12 @@ const Geometry::Class_info *Gis_point::g
 
 uint32 Gis_line_string::get_data_size() const 
 {
-  if (no_data(m_data, 4))
+  uint32 n_points, size;
+  if (no_data(m_data, 4) ||
+      (n_points= uint4korr(m_data)) > max_n_points ||
+      no_data(m_data, (size= 4 + n_points * POINT_DATA_SIZE)))
     return GET_SIZE_ERROR;
-  return 4 + uint4korr(m_data) * POINT_DATA_SIZE;
+  return size;
 }
 
 
@@ -665,6 +669,9 @@ int Gis_line_string::end_point(String *r
   if (no_data(m_data, 4))
     return 1;
   n_points= uint4korr(m_data);
+  if (n_points == 0 || n_points > max_n_points ||
+      no_data(m_data, POINT_DATA_SIZE * n_points))
+    return 1;
   return create_point(result, m_data + 4 + (n_points - 1) * POINT_DATA_SIZE);
 }
 
@@ -674,11 +681,14 @@ int Gis_line_string::point_n(uint32 num,
   uint32 n_points;
   if (no_data(m_data, 4))
     return 1;
+  num--;
   n_points= uint4korr(m_data);
-  if ((uint32) (num - 1) >= n_points) // means (num > n_points || num < 1)
+  if (num >= n_points ||
+      num > max_n_points || // means (num > n_points || num < 1)
+      no_data(m_data, num * POINT_DATA_SIZE))
     return 1;
 
-  return create_point(result, m_data + 4 + (num - 1) * POINT_DATA_SIZE);
+  return create_point(result, m_data + 4 + num*POINT_DATA_SIZE);
 }
 
 const Geometry::Class_info *Gis_line_string::get_class_info() const
@@ -692,6 +702,7 @@ const Geometry::Class_info *Gis_line_str
 uint32 Gis_polygon::get_data_size() const 
 {
   uint32 n_linear_rings;
+  uint32 n_points;
   const char *data= m_data;
 
   if (no_data(data, 4))
@@ -701,10 +712,13 @@ uint32 Gis_polygon::get_data_size() cons
 
   while (n_linear_rings--)
   {
-    if (no_data(data, 4))
+    if (no_data(data, 4) ||
+        (n_points= uint4korr(data)) > max_n_points)
       return GET_SIZE_ERROR;
-    data+= 4 + uint4korr(data)*POINT_DATA_SIZE;
+    data+= 4 + n_points*POINT_DATA_SIZE;
   }
+  if (no_data(data, 0))
+    return GET_SIZE_ERROR;
   return (uint32) (data - m_data);
 }
 
@@ -1037,9 +1051,14 @@ const Geometry::Class_info *Gis_polygon:
 
 uint32 Gis_multi_point::get_data_size() const 
 {
-  if (no_data(m_data, 4))
-    return GET_SIZE_ERROR;
-  return 4 + uint4korr(m_data)*(POINT_DATA_SIZE + WKB_HEADER_SIZE);
+  uint32 n_points;
+  uint32 size;
+
+  if (no_data(m_data, 4) ||
+      (n_points= uint4korr(m_data)) > max_n_points ||
+      no_data(m_data, (size= 4 + n_points*(POINT_DATA_SIZE + WKB_HEADER_SIZE))))
+     return GET_SIZE_ERROR;
+  return size;
 }
 
 
@@ -1107,7 +1126,8 @@ bool Gis_multi_point::get_data_as_wkt(St
     return 1;
 
   n_points= uint4korr(m_data);
-  if (no_data(m_data+4,
+  if (n_points > max_n_points ||
+      no_data(m_data+4,
               n_points * (SIZEOF_STORED_DOUBLE * 2 + WKB_HEADER_SIZE)) ||
       txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
     return 1;
@@ -1160,6 +1180,7 @@ const Geometry::Class_info *Gis_multi_po
 uint32 Gis_multi_line_string::get_data_size() const 
 {
   uint32 n_line_strings;
+  uint32 n_points;
   const char *data= m_data;
 
   if (no_data(data, 4))
@@ -1169,11 +1190,13 @@ uint32 Gis_multi_line_string::get_data_s
 
   while (n_line_strings--)
   {
-    if (no_data(data, WKB_HEADER_SIZE + 4))
+    if (no_data(data, WKB_HEADER_SIZE + 4) ||
+        (n_points= uint4korr(data + WKB_HEADER_SIZE)) > max_n_points)
       return GET_SIZE_ERROR;
-    data+= (WKB_HEADER_SIZE + 4 + uint4korr(data + WKB_HEADER_SIZE) *
-            POINT_DATA_SIZE);
+    data+= (WKB_HEADER_SIZE + 4 + n_points*POINT_DATA_SIZE);
   }
+  if (no_data(data, 0))
+    return GET_SIZE_ERROR;
   return (uint32) (data - m_data);
 }
 
@@ -1327,7 +1350,7 @@ int Gis_multi_line_string::geometry_n(ui
       return 1;
     n_points= uint4korr(data + WKB_HEADER_SIZE);
     length= WKB_HEADER_SIZE + 4+ POINT_DATA_SIZE * n_points;
-    if (no_data(data, length))
+    if (n_points > max_n_points || no_data(data, length))
       return 1;
     if (!--num)
       break;
@@ -1407,6 +1430,7 @@ const Geometry::Class_info *Gis_multi_li
 uint32 Gis_multi_polygon::get_data_size() const 
 {
   uint32 n_polygons;
+  uint32 n_points;
   const char *data= m_data;
 
   if (no_data(data, 4))
@@ -1425,11 +1449,14 @@ uint32 Gis_multi_polygon::get_data_size(
 
     while (n_linear_rings--)
     {
-      if (no_data(data, 4))
+      if (no_data(data, 4) ||
+          (n_points= uint4korr(data)) > max_n_points)
         return GET_SIZE_ERROR;
-      data+= 4 + uint4korr(data) * POINT_DATA_SIZE;
+      data+= 4 + n_points * POINT_DATA_SIZE;
     }
   }
+  if (no_data(data, 0))
+    return GET_SIZE_ERROR;
   return (uint32) (data - m_data);
 }
 

=== modified file 'sql/spatial.h'
--- a/sql/spatial.h	2013-03-10 19:08:05 +0000
+++ b/sql/spatial.h	2013-03-18 13:58:00 +0000
@@ -199,7 +199,7 @@ class Geometry
 public:
   // Maximum number of points in feature that can fit into String
   static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    (uint32) (INT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
     POINT_DATA_SIZE;
 public:
   Geometry() {}                               /* Remove gcc warning */



More information about the commits mailing list