diff options
| -rw-r--r-- | mysql-test/r/gis.result | 48 | ||||
| -rw-r--r-- | mysql-test/t/gis.test | 24 | ||||
| -rw-r--r-- | sql/item_geofunc.cc | 13 |
3 files changed, 82 insertions, 3 deletions
diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 494b7a36532..a3708d06a1c 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -984,4 +984,52 @@ f4 geometry YES NULL f5 datetime YES NULL drop view v1; drop table t1; +SELECT MultiPoint(12345,''); +MultiPoint(12345,'') +NULL +SELECT MultiPoint(123451,''); +MultiPoint(123451,'') +NULL +SELECT MultiPoint(1234512,''); +MultiPoint(1234512,'') +NULL +SELECT MultiPoint(12345123,''); +MultiPoint(12345123,'') +NULL +SELECT MultiLineString(12345,''); +MultiLineString(12345,'') +NULL +SELECT MultiLineString(123451,''); +MultiLineString(123451,'') +NULL +SELECT MultiLineString(1234512,''); +MultiLineString(1234512,'') +NULL +SELECT MultiLineString(12345123,''); +MultiLineString(12345123,'') +NULL +SELECT LineString(12345,''); +LineString(12345,'') +NULL +SELECT LineString(123451,''); +LineString(123451,'') +NULL +SELECT LineString(1234512,''); +LineString(1234512,'') +NULL +SELECT LineString(12345123,''); +LineString(12345123,'') +NULL +SELECT Polygon(12345,''); +Polygon(12345,'') +NULL +SELECT Polygon(123451,''); +Polygon(123451,'') +NULL +SELECT Polygon(1234512,''); +Polygon(1234512,'') +NULL +SELECT Polygon(12345123,''); +Polygon(12345123,'') +NULL End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index 0dae4509518..4a60e777cc7 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -667,4 +667,28 @@ desc v1; drop view v1; drop table t1; +# +# Bug#44684: valgrind reports invalid reads in +# Item_func_spatial_collection::val_str +# +SELECT MultiPoint(12345,''); +SELECT MultiPoint(123451,''); +SELECT MultiPoint(1234512,''); +SELECT MultiPoint(12345123,''); + +SELECT MultiLineString(12345,''); +SELECT MultiLineString(123451,''); +SELECT MultiLineString(1234512,''); +SELECT MultiLineString(12345123,''); + +SELECT LineString(12345,''); +SELECT LineString(123451,''); +SELECT LineString(1234512,''); +SELECT LineString(12345123,''); + +SELECT Polygon(12345,''); +SELECT Polygon(123451,''); +SELECT Polygon(1234512,''); +SELECT Polygon(12345123,''); + --echo End of 5.1 tests diff --git a/sql/item_geofunc.cc b/sql/item_geofunc.cc index 24a92c78e9c..a34204b7181 100644 --- a/sql/item_geofunc.cc +++ b/sql/item_geofunc.cc @@ -416,7 +416,10 @@ String *Item_func_spatial_collection::val_str(String *str) else { enum Geometry::wkbType wkb_type; - const char *data= res->ptr() + 4/*SRID*/ + 1; + const uint data_offset= 4/*SRID*/ + 1; + if (res->length() < data_offset + sizeof(uint32)) + goto err; + const char *data= res->ptr() + data_offset; /* In the case of named collection we must check that items @@ -439,7 +442,7 @@ String *Item_func_spatial_collection::val_str(String *str) break; case Geometry::wkb_linestring: - if (str->append(data, POINT_DATA_SIZE, 512)) + if (len < POINT_DATA_SIZE || str->append(data, POINT_DATA_SIZE, 512)) goto err; break; case Geometry::wkb_polygon: @@ -448,11 +451,15 @@ String *Item_func_spatial_collection::val_str(String *str) double x1, y1, x2, y2; const char *org_data= data; - if (len < 4 + 2 * POINT_DATA_SIZE) + if (len < 4) goto err; n_points= uint4korr(data); data+= 4; + + if (n_points < 2 || len < 4 + n_points * POINT_DATA_SIZE) + goto err; + float8get(x1, data); data+= SIZEOF_STORED_DOUBLE; float8get(y1, data); |