From 6a113b215abde05ffe602111f54c2aef8e78bbd1 Mon Sep 17 00:00:00 2001
From: Ramil Kalimullin <ramil@mysql.com>
Date: Mon, 30 Aug 2010 11:51:46 +0400
Subject: Fix for bug #51875: crash when loading data into geometry function
 polyfromwkb

Check for number of line strings in the incoming polygon data (wkb) and
for number of points in the incoming linestring wkb.



mysql-test/r/gis.result:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - test result.
mysql-test/t/gis.test:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - test case.
sql/spatial.cc:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - creating a polygon from wkb check for number of line strings,
    - creating a linestring from wkb check for number of line points.
---
 sql/spatial.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'sql/spatial.cc')

diff --git a/sql/spatial.cc b/sql/spatial.cc
index 2305a8eb97d..8b869a5b1ca 100644
--- a/sql/spatial.cc
+++ b/sql/spatial.cc
@@ -528,7 +528,7 @@ uint Gis_line_string::init_from_wkb(const char *wkb, uint len,
   n_points= wkb_get_uint(wkb, bo);
   proper_length= 4 + n_points * POINT_DATA_SIZE;
 
-  if (len < proper_length || res->reserve(proper_length))
+  if (!n_points || len < proper_length || res->reserve(proper_length))
     return 0;
 
   res->q_append(n_points);
@@ -746,7 +746,9 @@ uint Gis_polygon::init_from_wkb(const char *wkb, uint len, wkbByteOrder bo,
   if (len < 4)
     return 0;
 
-  n_linear_rings= wkb_get_uint(wkb, bo);
+  if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
+    return 0;
+
   if (res->reserve(4, 512))
     return 0;
   wkb+= 4;
-- 
cgit v1.2.1