Commit b070fb4d authored by Alexey Botchkov's avatar Alexey Botchkov

TODO-424 geometry query crashes server.

        The bug was found by Alyssa Milburn.
        If the number of points of a geometry feature read from
        binary representation is greater than 0x10000000, then
        the (uint32) (num_points * 16) will cut the higher byte,
        which leads to various errors.
        Fixed by additional check if (num_points > max_n_points).
parent 8c6703d5
...@@ -1498,4 +1498,19 @@ create table t1 (pt point); ...@@ -1498,4 +1498,19 @@ create table t1 (pt point);
insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))')); insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))'));
ERROR 22007: Incorrect POINT value: 'POLYGON' for column 'pt' at row 1 ERROR 22007: Incorrect POINT value: 'POLYGON' for column 'pt' at row 1
drop table t1; drop table t1;
#
# TODO-424 geometry query crashes server
#
select astext(0x0100000000030000000100000000000010);
astext(0x0100000000030000000100000000000010)
NULL
select st_area(0x0100000000030000000100000000000010);
st_area(0x0100000000030000000100000000000010)
NULL
select astext(st_exteriorring(0x0100000000030000000100000000000010));
astext(st_exteriorring(0x0100000000030000000100000000000010))
NULL
select astext(st_centroid(0x0100000000030000000100000000000010));
astext(st_centroid(0x0100000000030000000100000000000010))
NULL
End of 5.5 tests End of 5.5 tests
...@@ -1367,4 +1367,11 @@ create table t1 (pt point); ...@@ -1367,4 +1367,11 @@ create table t1 (pt point);
insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))')); insert into t1 values(Geomfromtext('POLYGON((1 1, 2 2, 2 1, 1 1))'));
drop table t1; drop table t1;
--echo #
--echo # TODO-424 geometry query crashes server
--echo #
select astext(0x0100000000030000000100000000000010);
select st_area(0x0100000000030000000100000000000010);
select astext(st_exteriorring(0x0100000000030000000100000000000010));
select astext(st_centroid(0x0100000000030000000100000000000010));
--echo End of 5.5 tests --echo End of 5.5 tests
...@@ -631,7 +631,7 @@ bool Gis_line_string::get_data_as_wkt(String *txt, const char **end) const ...@@ -631,7 +631,7 @@ bool Gis_line_string::get_data_as_wkt(String *txt, const char **end) const
n_points= uint4korr(data); n_points= uint4korr(data);
data += 4; data += 4;
if (n_points < 1 || if (n_points < 1 || n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points) || no_data(data, POINT_DATA_SIZE * n_points) ||
txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)*2 + 1) * n_points)) txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)*2 + 1) * n_points))
return 1; return 1;
...@@ -669,7 +669,8 @@ int Gis_line_string::geom_length(double *len, const char **end) const ...@@ -669,7 +669,8 @@ int Gis_line_string::geom_length(double *len, const char **end) const
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
if (n_points < 1 || no_data(data, POINT_DATA_SIZE * n_points)) if (n_points < 1 || n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
get_point(&prev_x, &prev_y, data); get_point(&prev_x, &prev_y, data);
...@@ -717,7 +718,7 @@ int Gis_line_string::is_closed(int *closed) const ...@@ -717,7 +718,7 @@ int Gis_line_string::is_closed(int *closed) const
return 0; return 0;
} }
data+= 4; data+= 4;
if (n_points == 0 || if (n_points == 0 || n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points)) no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
...@@ -782,7 +783,8 @@ int Gis_line_string::store_shapes(Gcalc_shape_transporter *trn) const ...@@ -782,7 +783,8 @@ int Gis_line_string::store_shapes(Gcalc_shape_transporter *trn) const
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
if (n_points < 1 || no_data(data, POINT_DATA_SIZE * n_points)) if (n_points < 1 || n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
trn->start_line(); trn->start_line();
...@@ -966,7 +968,7 @@ bool Gis_polygon::get_data_as_wkt(String *txt, const char **end) const ...@@ -966,7 +968,7 @@ bool Gis_polygon::get_data_as_wkt(String *txt, const char **end) const
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
if (no_data(data, POINT_DATA_SIZE * n_points) || if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points) ||
txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points)) txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
return 1; return 1;
txt->qs_append('('); txt->qs_append('(');
...@@ -1020,7 +1022,7 @@ int Gis_polygon::area(double *ar, const char **end_of_data) const ...@@ -1020,7 +1022,7 @@ int Gis_polygon::area(double *ar, const char **end_of_data) const
if (no_data(data, 4)) if (no_data(data, 4))
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
if (no_data(data, POINT_DATA_SIZE * n_points)) if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
get_point(&prev_x, &prev_y, data+4); get_point(&prev_x, &prev_y, data+4);
data+= (4+POINT_DATA_SIZE); data+= (4+POINT_DATA_SIZE);
...@@ -1056,7 +1058,8 @@ int Gis_polygon::exterior_ring(String *result) const ...@@ -1056,7 +1058,8 @@ int Gis_polygon::exterior_ring(String *result) const
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
length= n_points * POINT_DATA_SIZE; length= n_points * POINT_DATA_SIZE;
if (no_data(data, length) || result->reserve(1 + 4 + 4 + length)) if (n_points > max_n_points ||
no_data(data, length) || result->reserve(1 + 4 + 4 + length))
return 1; return 1;
result->q_append((char) wkb_ndr); result->q_append((char) wkb_ndr);
...@@ -1102,7 +1105,8 @@ int Gis_polygon::interior_ring_n(uint32 num, String *result) const ...@@ -1102,7 +1105,8 @@ int Gis_polygon::interior_ring_n(uint32 num, String *result) const
n_points= uint4korr(data); n_points= uint4korr(data);
points_size= n_points * POINT_DATA_SIZE; points_size= n_points * POINT_DATA_SIZE;
data+= 4; data+= 4;
if (no_data(data, points_size) || result->reserve(1 + 4 + 4 + points_size)) if (n_points > max_n_points ||
no_data(data, points_size) || result->reserve(1 + 4 + 4 + points_size))
return 1; return 1;
result->q_append((char) wkb_ndr); result->q_append((char) wkb_ndr);
...@@ -1141,7 +1145,7 @@ int Gis_polygon::centroid_xy(double *x, double *y) const ...@@ -1141,7 +1145,7 @@ int Gis_polygon::centroid_xy(double *x, double *y) const
return 1; return 1;
org_n_points= n_points= uint4korr(data); org_n_points= n_points= uint4korr(data);
data+= 4; data+= 4;
if (no_data(data, POINT_DATA_SIZE * n_points)) if (n_points > max_n_points || no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
get_point(&prev_x, &prev_y, data); get_point(&prev_x, &prev_y, data);
data+= POINT_DATA_SIZE; data+= POINT_DATA_SIZE;
...@@ -1215,7 +1219,8 @@ int Gis_polygon::store_shapes(Gcalc_shape_transporter *trn) const ...@@ -1215,7 +1219,8 @@ int Gis_polygon::store_shapes(Gcalc_shape_transporter *trn) const
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
data+= 4; data+= 4;
if (!n_points || no_data(data, POINT_DATA_SIZE * n_points)) if (!n_points || n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points))
return 1; return 1;
trn->start_ring(); trn->start_ring();
...@@ -1583,7 +1588,7 @@ bool Gis_multi_line_string::get_data_as_wkt(String *txt, ...@@ -1583,7 +1588,7 @@ bool Gis_multi_line_string::get_data_as_wkt(String *txt,
return 1; return 1;
n_points= uint4korr(data + WKB_HEADER_SIZE); n_points= uint4korr(data + WKB_HEADER_SIZE);
data+= WKB_HEADER_SIZE + 4; data+= WKB_HEADER_SIZE + 4;
if (no_data(data, n_points * POINT_DATA_SIZE) || if (n_points > max_n_points || no_data(data, n_points * POINT_DATA_SIZE) ||
txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points)) txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
return 1; return 1;
txt->qs_append('('); txt->qs_append('(');
...@@ -1905,7 +1910,8 @@ bool Gis_multi_polygon::get_data_as_wkt(String *txt, const char **end) const ...@@ -1905,7 +1910,8 @@ bool Gis_multi_polygon::get_data_as_wkt(String *txt, const char **end) const
return 1; return 1;
uint32 n_points= uint4korr(data); uint32 n_points= uint4korr(data);
data+= 4; data+= 4;
if (no_data(data, POINT_DATA_SIZE * n_points) || if (n_points > max_n_points ||
no_data(data, POINT_DATA_SIZE * n_points) ||
txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points, txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points,
512)) 512))
return 1; return 1;
...@@ -1988,6 +1994,8 @@ int Gis_multi_polygon::geometry_n(uint32 num, String *result) const ...@@ -1988,6 +1994,8 @@ int Gis_multi_polygon::geometry_n(uint32 num, String *result) const
if (no_data(data, 4)) if (no_data(data, 4))
return 1; return 1;
n_points= uint4korr(data); n_points= uint4korr(data);
if (n_points > max_n_points)
return 1;
data+= 4 + POINT_DATA_SIZE * n_points; data+= 4 + POINT_DATA_SIZE * n_points;
} }
} while (--num); } while (--num);
......
...@@ -210,6 +210,11 @@ struct Geometry_buffer; ...@@ -210,6 +210,11 @@ struct Geometry_buffer;
class Geometry class Geometry
{ {
public: public:
// Maximum number of points in feature that can fit into String
static const uint32 max_n_points=
(uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
POINT_DATA_SIZE;
Geometry() {} /* Remove gcc warning */ Geometry() {} /* Remove gcc warning */
virtual ~Geometry() {} /* Remove gcc warning */ virtual ~Geometry() {} /* Remove gcc warning */
static void *operator new(size_t size, void *buffer) static void *operator new(size_t size, void *buffer)
...@@ -391,10 +396,6 @@ class Gis_point: public Geometry ...@@ -391,10 +396,6 @@ class Gis_point: public Geometry
class Gis_line_string: public Geometry class Gis_line_string: public Geometry
{ {
// Maximum number of points in LineString that can fit into String
static const uint32 max_n_points=
(uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
POINT_DATA_SIZE;
public: public:
Gis_line_string() {} /* Remove gcc warning */ Gis_line_string() {} /* Remove gcc warning */
virtual ~Gis_line_string() {} /* Remove gcc warning */ virtual ~Gis_line_string() {} /* Remove gcc warning */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment