Commit b3cf9cd9 authored by Alexey Botchkov's avatar Alexey Botchkov

Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash

   the Point() and Linestring() functions create WKB representation of an
   object instead of an real geometry object.
   That produced bugs when these were inserted into tables.

   GIS tests fixed accordingly.
            
per-file messages:
  mysql-test/r/gis-rtree.result
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test result
  mysql-test/r/gis.result
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test result
  mysql-test/t/gis-rtree.test
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test fixed - GeomFromWKB invocations removed
  mysql-test/t/gis.test
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test fixed - AsWKB invocations added
  sql/item_geofunc.cc
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
     Point() and similar functions to create a proper object
parent 5e2fe847
This diff is collapsed.
......@@ -47,26 +47,26 @@ INSERT INTO gis_point VALUES
INSERT INTO gis_line VALUES
(105, LineFromText('LINESTRING(0 0,0 10,10 0)')),
(106, LineStringFromText('LINESTRING(10 10,20 10,20 20,10 20,10 10)')),
(107, LineStringFromWKB(LineString(Point(10, 10), Point(40, 10))));
(107, LineStringFromWKB(AsWKB(LineString(Point(10, 10), Point(40, 10)))));
INSERT INTO gis_polygon VALUES
(108, PolygonFromText('POLYGON((10 10,20 10,20 20,10 20,10 10))')),
(109, PolyFromText('POLYGON((0 0,50 0,50 50,0 50,0 0), (10 10,20 10,20 20,10 20,10 10))')),
(110, PolyFromWKB(Polygon(LineString(Point(0, 0), Point(30, 0), Point(30, 30), Point(0, 0)))));
(110, PolyFromWKB(AsWKB(Polygon(LineString(Point(0, 0), Point(30, 0), Point(30, 30), Point(0, 0))))));
INSERT INTO gis_multi_point VALUES
(111, MultiPointFromText('MULTIPOINT(0 0,10 10,10 20,20 20)')),
(112, MPointFromText('MULTIPOINT(1 1,11 11,11 21,21 21)')),
(113, MPointFromWKB(MultiPoint(Point(3, 6), Point(4, 10))));
(113, MPointFromWKB(AsWKB(MultiPoint(Point(3, 6), Point(4, 10)))));
INSERT INTO gis_multi_line VALUES
(114, MultiLineStringFromText('MULTILINESTRING((10 48,10 21,10 0),(16 0,16 23,16 48))')),
(115, MLineFromText('MULTILINESTRING((10 48,10 21,10 0))')),
(116, MLineFromWKB(MultiLineString(LineString(Point(1, 2), Point(3, 5)), LineString(Point(2, 5), Point(5, 8), Point(21, 7)))));
(116, MLineFromWKB(AsWKB(MultiLineString(LineString(Point(1, 2), Point(3, 5)), LineString(Point(2, 5), Point(5, 8), Point(21, 7))))));
INSERT INTO gis_multi_polygon VALUES
(117, MultiPolygonFromText('MULTIPOLYGON(((28 26,28 0,84 0,84 42,28 26),(52 18,66 23,73 9,48 6,52 18)),((59 18,67 18,67 13,59 13,59 18)))')),
(118, MPolyFromText('MULTIPOLYGON(((28 26,28 0,84 0,84 42,28 26),(52 18,66 23,73 9,48 6,52 18)),((59 18,67 18,67 13,59 13,59 18)))')),
(119, MPolyFromWKB(MultiPolygon(Polygon(LineString(Point(0, 3), Point(3, 3), Point(3, 0), Point(0, 3))))));
(119, MPolyFromWKB(AsWKB(MultiPolygon(Polygon(LineString(Point(0, 3), Point(3, 3), Point(3, 0), Point(0, 3)))))));
INSERT INTO gis_geometrycollection VALUES
(120, GeomCollFromText('GEOMETRYCOLLECTION(POINT(0 0), LINESTRING(0 0,10 10))')),
(121, GeometryFromWKB(GeometryCollection(Point(44, 6), LineString(Point(3, 6), Point(7, 9)))));
(121, GeometryFromWKB(AsWKB(GeometryCollection(Point(44, 6), LineString(Point(3, 6), Point(7, 9))))));
INSERT into gis_geometry SELECT * FROM gis_point;
INSERT into gis_geometry SELECT * FROM gis_line;
INSERT into gis_geometry SELECT * FROM gis_polygon;
......
......@@ -41,7 +41,7 @@ while ($1)
let $2=10;
while ($2)
{
eval INSERT INTO t2 (g) VALUES (GeometryFromWKB(LineString(Point($1 * 10 - 9, $2 * 10 - 9), Point($1 * 10, $2 * 10))));
eval INSERT INTO t2 (g) VALUES (LineString(Point($1 * 10 - 9, $2 * 10 - 9), Point($1 * 10, $2 * 10)));
dec $2;
}
dec $1;
......@@ -61,7 +61,7 @@ while ($1)
let $2=10;
while ($2)
{
eval DELETE FROM t2 WHERE Within(g, Envelope(GeometryFromWKB(LineString(Point($1 * 10 - 9, $2 * 10 - 9), Point($1 * 10, $2 * 10)))));
eval DELETE FROM t2 WHERE Within(g, Envelope(GeometryFromWKB(Point($1 * 10 - 9, $2 * 10 - 9), Point($1 * 10, $2 * 10))));
SELECT count(*) FROM t2;
dec $2;
}
......@@ -235,11 +235,11 @@ DROP TABLE t1;
# Bug #21888: Query on GEOMETRY field using PointFromWKB() results in lost connection
#
CREATE TABLE t1 (foo GEOMETRY NOT NULL, SPATIAL INDEX(foo) );
INSERT INTO t1 (foo) VALUES (PointFromWKB(POINT(1,1)));
INSERT INTO t1 (foo) VALUES (PointFromWKB(POINT(1,0)));
INSERT INTO t1 (foo) VALUES (PointFromWKB(POINT(0,1)));
INSERT INTO t1 (foo) VALUES (PointFromWKB(POINT(0,0)));
SELECT 1 FROM t1 WHERE foo != PointFromWKB(POINT(0,0));
INSERT INTO t1 (foo) VALUES (POINT(1,1));
INSERT INTO t1 (foo) VALUES (POINT(1,0));
INSERT INTO t1 (foo) VALUES (POINT(0,1));
INSERT INTO t1 (foo) VALUES (POINT(0,0));
SELECT 1 FROM t1 WHERE foo != POINT(0,0);
DROP TABLE t1;
#
......@@ -802,35 +802,35 @@ DROP TABLE t1;
#
create table t1 (a geometry not null, spatial index(a));
insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 131072)));
insert into t1 values (PointFromWKB(POINT(9.1248812352444e+192, 2.9740338169556e+284)));
insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, -0)));
insert into t1 values (PointFromWKB(POINT(1.49166814624e-154, 2.0880974297595e-53)));
insert into t1 values (PointFromWKB(POINT(4.0917382598702e+149, 1.2024538023802e+111)));
insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 2.9993936277913e-241)));
insert into t1 values (PointFromWKB(POINT(2.5243548967072e-29, 1.2024538023802e+111)));
insert into t1 values (PointFromWKB(POINT(0, 6.9835074892995e-251)));
insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 3.1050361846014e+231)));
insert into t1 values (PointFromWKB(POINT(2.8728483499323e-188, 2.4600631144627e+260)));
insert into t1 values (PointFromWKB(POINT(3.0517578125e-05, 2.0349165139404e+236)));
insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 1.1818212630766e-125)));
insert into t1 values (PointFromWKB(POINT(2.481040258324e-265, 5.7766220027675e-275)));
insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 2.5243548967072e-29)));
insert into t1 values (PointFromWKB(POINT(5.7766220027675e-275, 9.9464647281957e+86)));
insert into t1 values (PointFromWKB(POINT(2.2181357552967e+130, 3.7857669957337e-270)));
insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.6893488147419e+19)));
insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.7537584144024e+255)));
insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 1.8033161362863e-130)));
insert into t1 values (PointFromWKB(POINT(0, 5.8774717541114e-39)));
insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 2.2761049594727e-159)));
insert into t1 values (PointFromWKB(POINT(6.243497100632e+144, 3.7857669957337e-270)));
insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 2.6355494858076e-82)));
insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 3.8518598887745e-34)));
insert into t1 values (PointFromWKB(POINT(4.6566128730774e-10, 2.0880974297595e-53)));
insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 1.8827498946116e-183)));
insert into t1 values (PointFromWKB(POINT(1.8033161362863e-130, 9.1248812352444e+192)));
insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, 2.2761049594727e-159)));
insert into t1 values (PointFromWKB(POINT(1.94906280228e+289, 1.2338789709327e-178)));
insert into t1 values (POINT(1.1517219314031e+164, 131072));
insert into t1 values (POINT(9.1248812352444e+192, 2.9740338169556e+284));
insert into t1 values (POINT(4.7783097267365e-299, -0));
insert into t1 values (POINT(1.49166814624e-154, 2.0880974297595e-53));
insert into t1 values (POINT(4.0917382598702e+149, 1.2024538023802e+111));
insert into t1 values (POINT(2.0349165139404e+236, 2.9993936277913e-241));
insert into t1 values (POINT(2.5243548967072e-29, 1.2024538023802e+111));
insert into t1 values (POINT(0, 6.9835074892995e-251));
insert into t1 values (POINT(2.0880974297595e-53, 3.1050361846014e+231));
insert into t1 values (POINT(2.8728483499323e-188, 2.4600631144627e+260));
insert into t1 values (POINT(3.0517578125e-05, 2.0349165139404e+236));
insert into t1 values (POINT(1.1517219314031e+164, 1.1818212630766e-125));
insert into t1 values (POINT(2.481040258324e-265, 5.7766220027675e-275));
insert into t1 values (POINT(2.0880974297595e-53, 2.5243548967072e-29));
insert into t1 values (POINT(5.7766220027675e-275, 9.9464647281957e+86));
insert into t1 values (POINT(2.2181357552967e+130, 3.7857669957337e-270));
insert into t1 values (POINT(4.5767114681874e-246, 3.6893488147419e+19));
insert into t1 values (POINT(4.5767114681874e-246, 3.7537584144024e+255));
insert into t1 values (POINT(3.7857669957337e-270, 1.8033161362863e-130));
insert into t1 values (POINT(0, 5.8774717541114e-39));
insert into t1 values (POINT(1.1517219314031e+164, 2.2761049594727e-159));
insert into t1 values (POINT(6.243497100632e+144, 3.7857669957337e-270));
insert into t1 values (POINT(3.7857669957337e-270, 2.6355494858076e-82));
insert into t1 values (POINT(2.0349165139404e+236, 3.8518598887745e-34));
insert into t1 values (POINT(4.6566128730774e-10, 2.0880974297595e-53));
insert into t1 values (POINT(2.0880974297595e-53, 1.8827498946116e-183));
insert into t1 values (POINT(1.8033161362863e-130, 9.1248812352444e+192));
insert into t1 values (POINT(4.7783097267365e-299, 2.2761049594727e-159));
insert into t1 values (POINT(1.94906280228e+289, 1.2338789709327e-178));
drop table t1;
# End of 4.1 tests
......
......@@ -36,32 +36,32 @@ INSERT INTO gis_point VALUES
INSERT INTO gis_line VALUES
(105, LineFromText('LINESTRING(0 0,0 10,10 0)')),
(106, LineStringFromText('LINESTRING(10 10,20 10,20 20,10 20,10 10)')),
(107, LineStringFromWKB(LineString(Point(10, 10), Point(40, 10))));
(107, LineStringFromWKB(AsWKB(LineString(Point(10, 10), Point(40, 10)))));
INSERT INTO gis_polygon VALUES
(108, PolygonFromText('POLYGON((10 10,20 10,20 20,10 20,10 10))')),
(109, PolyFromText('POLYGON((0 0,50 0,50 50,0 50,0 0), (10 10,20 10,20 20,10 20,10 10))')),
(110, PolyFromWKB(Polygon(LineString(Point(0, 0), Point(30, 0), Point(30, 30), Point(0, 0)))));
(110, PolyFromWKB(AsWKB(Polygon(LineString(Point(0, 0), Point(30, 0), Point(30, 30), Point(0, 0))))));
INSERT INTO gis_multi_point VALUES
(111, MultiPointFromText('MULTIPOINT(0 0,10 10,10 20,20 20)')),
(112, MPointFromText('MULTIPOINT(1 1,11 11,11 21,21 21)')),
(113, MPointFromWKB(MultiPoint(Point(3, 6), Point(4, 10))));
(113, MPointFromWKB(AsWKB(MultiPoint(Point(3, 6), Point(4, 10)))));
INSERT INTO gis_multi_line VALUES
(114, MultiLineStringFromText('MULTILINESTRING((10 48,10 21,10 0),(16 0,16 23,16 48))')),
(115, MLineFromText('MULTILINESTRING((10 48,10 21,10 0))')),
(116, MLineFromWKB(MultiLineString(LineString(Point(1, 2), Point(3, 5)), LineString(Point(2, 5), Point(5, 8), Point(21, 7)))));
(116, MLineFromWKB(AsWKB(MultiLineString(LineString(Point(1, 2), Point(3, 5)), LineString(Point(2, 5), Point(5, 8), Point(21, 7))))));
INSERT INTO gis_multi_polygon VALUES
(117, MultiPolygonFromText('MULTIPOLYGON(((28 26,28 0,84 0,84 42,28 26),(52 18,66 23,73 9,48 6,52 18)),((59 18,67 18,67 13,59 13,59 18)))')),
(118, MPolyFromText('MULTIPOLYGON(((28 26,28 0,84 0,84 42,28 26),(52 18,66 23,73 9,48 6,52 18)),((59 18,67 18,67 13,59 13,59 18)))')),
(119, MPolyFromWKB(MultiPolygon(Polygon(LineString(Point(0, 3), Point(3, 3), Point(3, 0), Point(0, 3))))));
(119, MPolyFromWKB(AsWKB(MultiPolygon(Polygon(LineString(Point(0, 3), Point(3, 3), Point(3, 0), Point(0, 3)))))));
INSERT INTO gis_geometrycollection VALUES
(120, GeomCollFromText('GEOMETRYCOLLECTION(POINT(0 0), LINESTRING(0 0,10 10))')),
(121, GeometryFromWKB(GeometryCollection(Point(44, 6), LineString(Point(3, 6), Point(7, 9)))));
(121, GeometryFromWKB(AsWKB(GeometryCollection(Point(44, 6), LineString(Point(3, 6), Point(7, 9))))));
INSERT into gis_geometry SELECT * FROM gis_point;
INSERT into gis_geometry SELECT * FROM gis_line;
......
......@@ -70,10 +70,17 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
{
DBUG_ASSERT(fixed == 1);
String arg_val;
String *wkb= args[0]->val_str(&arg_val);
String *wkb;
Geometry_buffer buffer;
uint32 srid= 0;
if (args[0]->field_type() == MYSQL_TYPE_GEOMETRY)
{
return args[0]->val_str(str);
}
wkb= args[0]->val_str(&arg_val);
if ((arg_count == 2) && !args[1]->null_value)
srid= (uint32)args[1]->val_int();
......@@ -83,8 +90,8 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
str->length(0);
str->q_append(srid);
if ((null_value=
(args[0]->null_value ||
!Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
(args[0]->null_value ||
!Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
return 0;
return str;
}
......@@ -337,14 +344,16 @@ String *Item_func_point::val_str(String *str)
DBUG_ASSERT(fixed == 1);
double x= args[0]->val_real();
double y= args[1]->val_real();
uint32 srid= 0;
if ((null_value= (args[0]->null_value ||
args[1]->null_value ||
str->realloc(1 + 4 + SIZEOF_STORED_DOUBLE*2))))
str->realloc(4/*SRID*/ + 1 + 4 + SIZEOF_STORED_DOUBLE*2))))
return 0;
str->set_charset(&my_charset_bin);
str->length(0);
str->q_append(srid);
str->q_append((char)Geometry::wkb_ndr);
str->q_append((uint32)Geometry::wkb_point);
str->q_append(x);
......@@ -368,12 +377,14 @@ String *Item_func_spatial_collection::val_str(String *str)
DBUG_ASSERT(fixed == 1);
String arg_value;
uint i;
uint32 srid= 0;
str->set_charset(&my_charset_bin);
str->length(0);
if (str->reserve(1 + 4 + 4, 512))
if (str->reserve(4/*SRID*/ + 1 + 4 + 4, 512))
goto err;
str->q_append(srid);
str->q_append((char) Geometry::wkb_ndr);
str->q_append((uint32) coll_type);
str->q_append((uint32) arg_count);
......@@ -391,13 +402,13 @@ String *Item_func_spatial_collection::val_str(String *str)
In the case of GeometryCollection we don't need any checkings
for item types, so just copy them into target collection
*/
if (str->append(res->ptr(), len, (uint32) 512))
if (str->append(res->ptr() + 4/*SRID*/, len - 4/*SRID*/, (uint32) 512))
goto err;
}
else
{
enum Geometry::wkbType wkb_type;
const char *data= res->ptr() + 1;
const char *data= res->ptr() + 4/*SRID*/ + 1;
/*
In the case of named collection we must check that items
......@@ -406,7 +417,7 @@ String *Item_func_spatial_collection::val_str(String *str)
wkb_type= (Geometry::wkbType) uint4korr(data);
data+= 4;
len-= 5;
len-= 5 + 4/*SRID*/;
if (wkb_type != item_type)
goto err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment