Commit 0d460bcd authored by Martin Hansson's avatar Martin Hansson

Bug#44684: valgrind reports invalid reads in

Item_func_spatial_collection::val_str
        
When the concatenation function for geometry data collections
reads the binary data it was not rigorous in checking that there
is data available, leading to invalid reads and crashes.
Fixed by making checking stricter.


mysql-test/r/gis.result:
  Bug#44684: Test result
mysql-test/t/gis.test:
  Bug#44684: Test case
sql/item_geofunc.cc:
  Bug#44684: fix(es)
  - Check that there are 4 bytes available for type code.
  - Check that there is at least one point available for linestring.
  - Check that there are at least 2 points in a polygon and
    data for all the points.
parent ed7f0f30
...@@ -984,4 +984,52 @@ f4 geometry YES NULL ...@@ -984,4 +984,52 @@ f4 geometry YES NULL
f5 datetime YES NULL f5 datetime YES NULL
drop view v1; drop view v1;
drop table t1; drop table t1;
SELECT MultiPoint(12345,'');
MultiPoint(12345,'')
NULL
SELECT MultiPoint(123451,'');
MultiPoint(123451,'')
NULL
SELECT MultiPoint(1234512,'');
MultiPoint(1234512,'')
NULL
SELECT MultiPoint(12345123,'');
MultiPoint(12345123,'')
NULL
SELECT MultiLineString(12345,'');
MultiLineString(12345,'')
NULL
SELECT MultiLineString(123451,'');
MultiLineString(123451,'')
NULL
SELECT MultiLineString(1234512,'');
MultiLineString(1234512,'')
NULL
SELECT MultiLineString(12345123,'');
MultiLineString(12345123,'')
NULL
SELECT LineString(12345,'');
LineString(12345,'')
NULL
SELECT LineString(123451,'');
LineString(123451,'')
NULL
SELECT LineString(1234512,'');
LineString(1234512,'')
NULL
SELECT LineString(12345123,'');
LineString(12345123,'')
NULL
SELECT Polygon(12345,'');
Polygon(12345,'')
NULL
SELECT Polygon(123451,'');
Polygon(123451,'')
NULL
SELECT Polygon(1234512,'');
Polygon(1234512,'')
NULL
SELECT Polygon(12345123,'');
Polygon(12345123,'')
NULL
End of 5.1 tests End of 5.1 tests
...@@ -667,4 +667,28 @@ desc v1; ...@@ -667,4 +667,28 @@ desc v1;
drop view v1; drop view v1;
drop table t1; drop table t1;
#
# Bug#44684: valgrind reports invalid reads in
# Item_func_spatial_collection::val_str
#
SELECT MultiPoint(12345,'');
SELECT MultiPoint(123451,'');
SELECT MultiPoint(1234512,'');
SELECT MultiPoint(12345123,'');
SELECT MultiLineString(12345,'');
SELECT MultiLineString(123451,'');
SELECT MultiLineString(1234512,'');
SELECT MultiLineString(12345123,'');
SELECT LineString(12345,'');
SELECT LineString(123451,'');
SELECT LineString(1234512,'');
SELECT LineString(12345123,'');
SELECT Polygon(12345,'');
SELECT Polygon(123451,'');
SELECT Polygon(1234512,'');
SELECT Polygon(12345123,'');
--echo End of 5.1 tests --echo End of 5.1 tests
...@@ -416,7 +416,10 @@ String *Item_func_spatial_collection::val_str(String *str) ...@@ -416,7 +416,10 @@ String *Item_func_spatial_collection::val_str(String *str)
else else
{ {
enum Geometry::wkbType wkb_type; enum Geometry::wkbType wkb_type;
const char *data= res->ptr() + 4/*SRID*/ + 1; const uint data_offset= 4/*SRID*/ + 1;
if (res->length() < data_offset + sizeof(uint32))
goto err;
const char *data= res->ptr() + data_offset;
/* /*
In the case of named collection we must check that items In the case of named collection we must check that items
...@@ -439,7 +442,7 @@ String *Item_func_spatial_collection::val_str(String *str) ...@@ -439,7 +442,7 @@ String *Item_func_spatial_collection::val_str(String *str)
break; break;
case Geometry::wkb_linestring: case Geometry::wkb_linestring:
if (str->append(data, POINT_DATA_SIZE, 512)) if (len < POINT_DATA_SIZE || str->append(data, POINT_DATA_SIZE, 512))
goto err; goto err;
break; break;
case Geometry::wkb_polygon: case Geometry::wkb_polygon:
...@@ -448,11 +451,15 @@ String *Item_func_spatial_collection::val_str(String *str) ...@@ -448,11 +451,15 @@ String *Item_func_spatial_collection::val_str(String *str)
double x1, y1, x2, y2; double x1, y1, x2, y2;
const char *org_data= data; const char *org_data= data;
if (len < 4 + 2 * POINT_DATA_SIZE) if (len < 4)
goto err; goto err;
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
if (n_points < 2 || len < 4 + n_points * POINT_DATA_SIZE)
goto err;
float8get(x1, data); float8get(x1, data);
data+= SIZEOF_STORED_DOUBLE; data+= SIZEOF_STORED_DOUBLE;
float8get(y1, data); float8get(y1, data);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment