From 511b9432637510617b04bde92c51a184c1e3aea8 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Sun, 10 Mar 2013 23:08:05 +0400 Subject: MDEV-4252 geometry query crashes server. The bug was found by Alyssa Milburn. If the number of points of a geometry feature read from binary representation is greater than 0x10000000, then the (uint32) (num_points * 16) will cut the higher byte, which leads to various errors. Fixed by additional check if (num_points > max_n_points). --- sql/spatial.cc | 27 ++++++++++++++++++--------- sql/spatial.h | 9 +++++---- 2 files changed, 23 insertions(+), 13 deletions(-) (limited to 'sql') diff --git a/sql/spatial.cc b/sql/spatial.cc index eec028eaef1..94d0238993c 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -556,7 +556,7 @@ bool Gis_line_string::get_data_as_wkt(String *txt, const char **end) const n_points= uint4korr(data); data += 4; - if (n_points < 1 || + if (n_points < 1 || n_points > max_n_points || no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points) || txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)*2 + 1) * n_points)) return 1; @@ -594,7 +594,8 @@ int Gis_line_string::geom_length(double *len) const return 1; n_points= uint4korr(data); data+= 4; - if (n_points < 1 || no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points)) + if (n_points < 1 || n_points > max_n_points || + no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points)) return 1; get_point(&prev_x, &prev_y, data); @@ -628,7 +629,7 @@ int Gis_line_string::is_closed(int *closed) const return 0; } data+= 4; - if (n_points == 0 || + if (n_points == 0 || n_points > max_n_points || no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points)) return 1; @@ -798,7 +799,8 @@ bool Gis_polygon::get_data_as_wkt(String *txt, const char **end) const return 1; n_points= uint4korr(data); data+= 4; - if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points) || + if (n_points > max_n_points || + no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points) || txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points)) return 1; txt->qs_append('('); @@ -852,7 +854,8 @@ int Gis_polygon::area(double *ar, const char **end_of_data) const if (no_data(data, 4)) return 1; n_points= uint4korr(data); - if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) + if (n_points > max_n_points || + no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) return 1; get_point(&prev_x, &prev_y, data+4); data+= (4+SIZEOF_STORED_DOUBLE*2); @@ -888,7 +891,8 @@ int Gis_polygon::exterior_ring(String *result) const n_points= uint4korr(data); data+= 4; length= n_points * POINT_DATA_SIZE; - if (no_data(data, length) || result->reserve(1+4+4+ length)) + if (n_points > max_n_points || + no_data(data, length) || result->reserve(1+4+4+ length)) return 1; result->q_append((char) wkb_ndr); @@ -973,7 +977,8 @@ int Gis_polygon::centroid_xy(double *x, double *y) const return 1; org_n_points= n_points= uint4korr(data); data+= 4; - if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) + if (n_points > max_n_points || + no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) return 1; get_point(&prev_x, &prev_y, data); data+= (SIZEOF_STORED_DOUBLE*2); @@ -1260,7 +1265,8 @@ bool Gis_multi_line_string::get_data_as_wkt(String *txt, return 1; n_points= uint4korr(data + WKB_HEADER_SIZE); data+= WKB_HEADER_SIZE + 4; - if (no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) || + if (n_points > max_n_points || + no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) || txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points)) return 1; txt->qs_append('('); @@ -1521,7 +1527,8 @@ bool Gis_multi_polygon::get_data_as_wkt(String *txt, const char **end) const return 1; uint32 n_points= uint4korr(data); data+= 4; - if (no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) || + if (n_points > max_n_points || + no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) || txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points, 512)) return 1; @@ -1604,6 +1611,8 @@ int Gis_multi_polygon::geometry_n(uint32 num, String *result) const if (no_data(data, 4)) return 1; n_points= uint4korr(data); + if (n_points > max_n_points) + return 1; data+= 4 + POINT_DATA_SIZE * n_points; } } while (--num); diff --git a/sql/spatial.h b/sql/spatial.h index 20b3856ca9a..7d254252b3f 100644 --- a/sql/spatial.h +++ b/sql/spatial.h @@ -196,6 +196,11 @@ struct Geometry_buffer; class Geometry { +public: + // Maximum number of points in feature that can fit into String + static const uint32 max_n_points= + (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) / + POINT_DATA_SIZE; public: Geometry() {} /* Remove gcc warning */ virtual ~Geometry() {} /* Remove gcc warning */ @@ -379,10 +384,6 @@ public: class Gis_line_string: public Geometry { - // Maximum number of points in LineString that can fit into String - static const uint32 max_n_points= - (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) / - POINT_DATA_SIZE; public: Gis_line_string() {} /* Remove gcc warning */ virtual ~Gis_line_string() {} /* Remove gcc warning */ -- cgit v1.2.1 From 019f7425b70bb992bf6446a3c9a1dda041a4440d Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Sun, 17 Mar 2013 07:41:22 +0100 Subject: MDEV-4281 Assertion `maybe_null && item->null_value' fails in make_sortkey on CASE with different return types, GROUP_CONCAT, GROUP BY Fix Item::get_date() to mark the item NULL when returning an error. --- sql/filesort.cc | 5 ++++- sql/item.cc | 8 ++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'sql') diff --git a/sql/filesort.cc b/sql/filesort.cc index 703264b7ef5..6619989c1ea 100644 --- a/sql/filesort.cc +++ b/sql/filesort.cc @@ -869,7 +869,10 @@ static void make_sortkey(register SORTPARAM *param, { MYSQL_TIME buf; if (item->get_date_result(&buf, TIME_FUZZY_DATE | TIME_INVALID_DATES)) - DBUG_ASSERT(maybe_null && item->null_value); + { + DBUG_ASSERT(maybe_null); + DBUG_ASSERT(item->null_value); + } else value= pack_time(&buf); } diff --git a/sql/item.cc b/sql/item.cc index 2e023168f34..cb60d6fb812 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -1197,11 +1197,15 @@ bool Item::get_date(MYSQL_TIME *ltime,uint fuzzydate) DBUG_ASSERT(0); } - return 0; + return null_value= 0; err: + /* + if the item was not null and convertion failed, we return a zero date + if allowed, otherwise - null. + */ bzero((char*) ltime,sizeof(*ltime)); - return 1; + return null_value|= (fuzzydate & (TIME_NO_ZERO_DATE|TIME_NO_ZERO_IN_DATE)); } bool Item::get_seconds(ulonglong *sec, ulong *sec_part) -- cgit v1.2.1 From 3827d70a0edb9b88f30dd64a2d7ee2853524dd4e Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Sun, 17 Mar 2013 17:44:15 +0100 Subject: MDEV-4286 Server crashes in Protocol_text::store, stack smashing detected AVG() returns a double, its max_length is reasonably limited by a double number length, even if the argument is many Kbytes long. --- sql/item_sum.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sql') diff --git a/sql/item_sum.cc b/sql/item_sum.cc index b9c041c1a2e..3f2020efeb5 100644 --- a/sql/item_sum.cc +++ b/sql/item_sum.cc @@ -1242,9 +1242,10 @@ void Item_sum_avg::fix_length_and_dec() f_scale= args[0]->decimals; dec_bin_size= my_decimal_get_binary_size(f_precision, f_scale); } - else { + else + { decimals= min(args[0]->decimals + prec_increment, NOT_FIXED_DEC); - max_length= args[0]->max_length + prec_increment; + max_length= min(args[0]->max_length + prec_increment, float_length(decimals)); } } -- cgit v1.2.1 From 8f607aae127439e132dae00b2750727162f4d564 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 18 Mar 2013 08:44:24 +0100 Subject: MDEV-4283 Assertion `scale <= precision' fails in strings/decimal.c with decimals=NOT_FIXED_DEC it is possible to have 'decimals' larger than 'max_length', it's not an error for temporal functions. But when Item_func_numhybrid converts the value to DECIMAL_RESULT, it must limit 'decimals' to be a valid scale of a decimal number. --- sql/item_func.cc | 4 +++- sql/item_func.h | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'sql') diff --git a/sql/item_func.cc b/sql/item_func.cc index f3a5c08d621..120e3d73a34 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -742,13 +742,14 @@ void Item_num_op::find_num_type(void) { hybrid_type= DECIMAL_RESULT; result_precision(); + fix_decimals(); } else { DBUG_ASSERT(r0 == INT_RESULT && r1 == INT_RESULT); - decimals= 0; hybrid_type=INT_RESULT; result_precision(); + decimals= 0; } DBUG_PRINT("info", ("Type: %s", (hybrid_type == REAL_RESULT ? "REAL_RESULT" : @@ -1492,6 +1493,7 @@ void Item_func_div::fix_length_and_dec() break; case DECIMAL_RESULT: result_precision(); + fix_decimals(); break; case STRING_RESULT: case ROW_RESULT: diff --git a/sql/item_func.h b/sql/item_func.h index 2db8ab76ffe..6cd036920f8 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -348,6 +348,13 @@ public: void fix_num_length_and_dec(); virtual void find_num_type()= 0; /* To be called from fix_length_and_dec */ + inline void fix_decimals() + { + DBUG_ASSERT(result_type() == DECIMAL_RESULT); + if (decimals == NOT_FIXED_DEC) + set_if_smaller(decimals, max_length - 1); + } + double val_real(); longlong val_int(); my_decimal *val_decimal(my_decimal *); -- cgit v1.2.1 From a4a18e0cbbaf2a43507b3c2232fed700403ad04d Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 18 Mar 2013 10:35:03 +0100 Subject: MDEV-4289 Assertion `0' fails in make_sortkey with GROUP_CONCAT, MAKE_SET, GROUP BY Item_func_make_set wasn't taking into account the first argument when calculating maybe_null. sql/item_strfunc.cc: rewrite Item_func_make_set, removing separate storage of the first argument sql/item_strfunc.h: rewrite Item_func_make_set, removing separate storage of the first argument --- sql/item_create.cc | 3 +-- sql/item_strfunc.cc | 72 ++++++----------------------------------------------- sql/item_strfunc.h | 20 +-------------- 3 files changed, 10 insertions(+), 85 deletions(-) (limited to 'sql') diff --git a/sql/item_create.cc b/sql/item_create.cc index a5dc3eeb5ad..78b50ff01fc 100644 --- a/sql/item_create.cc +++ b/sql/item_create.cc @@ -3952,8 +3952,7 @@ Create_func_make_set::create_native(THD *thd, LEX_STRING name, return NULL; } - Item *param_1= item_list->pop(); - return new (thd->mem_root) Item_func_make_set(param_1, *item_list); + return new (thd->mem_root) Item_func_make_set(*item_list); } diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 9cc77849094..ffa227834a9 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -2233,37 +2233,14 @@ String *Item_func_elt::val_str(String *str) } -void Item_func_make_set::split_sum_func(THD *thd, Item **ref_pointer_array, - List &fields) -{ - item->split_sum_func2(thd, ref_pointer_array, fields, &item, TRUE); - Item_str_func::split_sum_func(thd, ref_pointer_array, fields); -} - - void Item_func_make_set::fix_length_and_dec() { - max_length=arg_count-1; - - if (agg_arg_charsets(collation, args, arg_count, MY_COLL_ALLOW_CONV, 1)) + if (agg_arg_charsets(collation, args+1, arg_count-1, MY_COLL_ALLOW_CONV, 1)) return; - for (uint i=0 ; i < arg_count ; i++) + max_length=arg_count-2; + for (uint i=1 ; i < arg_count ; i++) max_length+=args[i]->max_length; - - used_tables_cache|= item->used_tables(); - not_null_tables_cache&= item->not_null_tables(); - const_item_cache&= item->const_item(); - with_sum_func= with_sum_func || item->with_sum_func; -} - - -void Item_func_make_set::update_used_tables() -{ - Item_func::update_used_tables(); - item->update_used_tables(); - used_tables_cache|=item->used_tables(); - const_item_cache&=item->const_item(); } @@ -2272,15 +2249,15 @@ String *Item_func_make_set::val_str(String *str) DBUG_ASSERT(fixed == 1); ulonglong bits; bool first_found=0; - Item **ptr=args; + Item **ptr=args+1; String *result=&my_empty_string; - bits=item->val_int(); - if ((null_value=item->null_value)) + bits=args[0]->val_int(); + if ((null_value=args[0]->null_value)) return NULL; - if (arg_count < 64) - bits &= ((ulonglong) 1 << arg_count)-1; + if (arg_count < 65) + bits &= ((ulonglong) 1 << (arg_count-1))-1; for (; bits; bits >>= 1, ptr++) { @@ -2320,39 +2297,6 @@ String *Item_func_make_set::val_str(String *str) } -Item *Item_func_make_set::transform(Item_transformer transformer, uchar *arg) -{ - DBUG_ASSERT(!current_thd->is_stmt_prepare()); - - Item *new_item= item->transform(transformer, arg); - if (!new_item) - return 0; - - /* - THD::change_item_tree() should be called only if the tree was - really transformed, i.e. when a new item has been created. - Otherwise we'll be allocating a lot of unnecessary memory for - change records at each execution. - */ - if (item != new_item) - current_thd->change_item_tree(&item, new_item); - return Item_str_func::transform(transformer, arg); -} - - -void Item_func_make_set::print(String *str, enum_query_type query_type) -{ - str->append(STRING_WITH_LEN("make_set(")); - item->print(str, query_type); - if (arg_count) - { - str->append(','); - print_args(str, 0, query_type); - } - str->append(')'); -} - - String *Item_func_char::val_str(String *str) { DBUG_ASSERT(fixed == 1); diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h index e8fa041af4f..a4fae7c69a1 100644 --- a/sql/item_strfunc.h +++ b/sql/item_strfunc.h @@ -497,31 +497,13 @@ public: class Item_func_make_set :public Item_str_func { - Item *item; String tmp_str; public: - Item_func_make_set(Item *a,List &list) :Item_str_func(list),item(a) {} + Item_func_make_set(List &list) :Item_str_func(list) {} String *val_str(String *str); - bool fix_fields(THD *thd, Item **ref) - { - DBUG_ASSERT(fixed == 0); - return ((!item->fixed && item->fix_fields(thd, &item)) || - item->check_cols(1) || - Item_func::fix_fields(thd, ref)); - } - void split_sum_func(THD *thd, Item **ref_pointer_array, List &fields); void fix_length_and_dec(); - void update_used_tables(); const char *func_name() const { return "make_set"; } - - bool walk(Item_processor processor, bool walk_subquery, uchar *arg) - { - return item->walk(processor, walk_subquery, arg) || - Item_str_func::walk(processor, walk_subquery, arg); - } - Item *transform(Item_transformer transformer, uchar *arg); - virtual void print(String *str, enum_query_type query_type); }; -- cgit v1.2.1 From 589247ae86b25eaa9bd75e4f26ecd06831469311 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Mon, 18 Mar 2013 17:58:00 +0400 Subject: MDEV-4252 geometry query crashes server. Additional fixes for possible overflows in length-related calculations in 'spatial' implementations. Checks added to the ::get_data_size() methods. max_n_points decreased to occupy less 2G size. An object of that size is practically inoperable anyway. --- sql/spatial.cc | 67 ++++++++++++++++++++++++++++++++++++++++------------------ sql/spatial.h | 2 +- 2 files changed, 48 insertions(+), 21 deletions(-) (limited to 'sql') diff --git a/sql/spatial.cc b/sql/spatial.cc index 94d0238993c..5a4b768140c 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -394,18 +394,19 @@ const char *Geometry::append_points(String *txt, uint32 n_points, const char *Geometry::get_mbr_for_points(MBR *mbr, const char *data, uint offset) const { - uint32 points; + uint32 n_points; /* read number of points */ if (no_data(data, 4)) return 0; - points= uint4korr(data); + n_points= uint4korr(data); data+= 4; - if (no_data(data, (SIZEOF_STORED_DOUBLE * 2 + offset) * points)) + if (n_points > max_n_points || + no_data(data, (POINT_DATA_SIZE + offset) * n_points)) return 0; /* Calculate MBR for points */ - while (points--) + while (n_points--) { data+= offset; mbr->add_xy(data, data + SIZEOF_STORED_DOUBLE); @@ -484,9 +485,12 @@ const Geometry::Class_info *Gis_point::get_class_info() const uint32 Gis_line_string::get_data_size() const { - if (no_data(m_data, 4)) + uint32 n_points, size; + if (no_data(m_data, 4) || + (n_points= uint4korr(m_data)) > max_n_points || + no_data(m_data, (size= 4 + n_points * POINT_DATA_SIZE))) return GET_SIZE_ERROR; - return 4 + uint4korr(m_data) * POINT_DATA_SIZE; + return size; } @@ -665,6 +669,9 @@ int Gis_line_string::end_point(String *result) const if (no_data(m_data, 4)) return 1; n_points= uint4korr(m_data); + if (n_points == 0 || n_points > max_n_points || + no_data(m_data, POINT_DATA_SIZE * n_points)) + return 1; return create_point(result, m_data + 4 + (n_points - 1) * POINT_DATA_SIZE); } @@ -674,11 +681,14 @@ int Gis_line_string::point_n(uint32 num, String *result) const uint32 n_points; if (no_data(m_data, 4)) return 1; + num--; n_points= uint4korr(m_data); - if ((uint32) (num - 1) >= n_points) // means (num > n_points || num < 1) + if (num >= n_points || + num > max_n_points || // means (num > n_points || num < 1) + no_data(m_data, num * POINT_DATA_SIZE)) return 1; - return create_point(result, m_data + 4 + (num - 1) * POINT_DATA_SIZE); + return create_point(result, m_data + 4 + num*POINT_DATA_SIZE); } const Geometry::Class_info *Gis_line_string::get_class_info() const @@ -692,6 +702,7 @@ const Geometry::Class_info *Gis_line_string::get_class_info() const uint32 Gis_polygon::get_data_size() const { uint32 n_linear_rings; + uint32 n_points; const char *data= m_data; if (no_data(data, 4)) @@ -701,10 +712,13 @@ uint32 Gis_polygon::get_data_size() const while (n_linear_rings--) { - if (no_data(data, 4)) + if (no_data(data, 4) || + (n_points= uint4korr(data)) > max_n_points) return GET_SIZE_ERROR; - data+= 4 + uint4korr(data)*POINT_DATA_SIZE; + data+= 4 + n_points*POINT_DATA_SIZE; } + if (no_data(data, 0)) + return GET_SIZE_ERROR; return (uint32) (data - m_data); } @@ -1037,9 +1051,14 @@ const Geometry::Class_info *Gis_polygon::get_class_info() const uint32 Gis_multi_point::get_data_size() const { - if (no_data(m_data, 4)) - return GET_SIZE_ERROR; - return 4 + uint4korr(m_data)*(POINT_DATA_SIZE + WKB_HEADER_SIZE); + uint32 n_points; + uint32 size; + + if (no_data(m_data, 4) || + (n_points= uint4korr(m_data)) > max_n_points || + no_data(m_data, (size= 4 + n_points*(POINT_DATA_SIZE + WKB_HEADER_SIZE)))) + return GET_SIZE_ERROR; + return size; } @@ -1107,7 +1126,8 @@ bool Gis_multi_point::get_data_as_wkt(String *txt, const char **end) const return 1; n_points= uint4korr(m_data); - if (no_data(m_data+4, + if (n_points > max_n_points || + no_data(m_data+4, n_points * (SIZEOF_STORED_DOUBLE * 2 + WKB_HEADER_SIZE)) || txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points)) return 1; @@ -1160,6 +1180,7 @@ const Geometry::Class_info *Gis_multi_point::get_class_info() const uint32 Gis_multi_line_string::get_data_size() const { uint32 n_line_strings; + uint32 n_points; const char *data= m_data; if (no_data(data, 4)) @@ -1169,11 +1190,13 @@ uint32 Gis_multi_line_string::get_data_size() const while (n_line_strings--) { - if (no_data(data, WKB_HEADER_SIZE + 4)) + if (no_data(data, WKB_HEADER_SIZE + 4) || + (n_points= uint4korr(data + WKB_HEADER_SIZE)) > max_n_points) return GET_SIZE_ERROR; - data+= (WKB_HEADER_SIZE + 4 + uint4korr(data + WKB_HEADER_SIZE) * - POINT_DATA_SIZE); + data+= (WKB_HEADER_SIZE + 4 + n_points*POINT_DATA_SIZE); } + if (no_data(data, 0)) + return GET_SIZE_ERROR; return (uint32) (data - m_data); } @@ -1327,7 +1350,7 @@ int Gis_multi_line_string::geometry_n(uint32 num, String *result) const return 1; n_points= uint4korr(data + WKB_HEADER_SIZE); length= WKB_HEADER_SIZE + 4+ POINT_DATA_SIZE * n_points; - if (no_data(data, length)) + if (n_points > max_n_points || no_data(data, length)) return 1; if (!--num) break; @@ -1407,6 +1430,7 @@ const Geometry::Class_info *Gis_multi_line_string::get_class_info() const uint32 Gis_multi_polygon::get_data_size() const { uint32 n_polygons; + uint32 n_points; const char *data= m_data; if (no_data(data, 4)) @@ -1425,11 +1449,14 @@ uint32 Gis_multi_polygon::get_data_size() const while (n_linear_rings--) { - if (no_data(data, 4)) + if (no_data(data, 4) || + (n_points= uint4korr(data)) > max_n_points) return GET_SIZE_ERROR; - data+= 4 + uint4korr(data) * POINT_DATA_SIZE; + data+= 4 + n_points * POINT_DATA_SIZE; } } + if (no_data(data, 0)) + return GET_SIZE_ERROR; return (uint32) (data - m_data); } diff --git a/sql/spatial.h b/sql/spatial.h index 7d254252b3f..d7632c11143 100644 --- a/sql/spatial.h +++ b/sql/spatial.h @@ -199,7 +199,7 @@ class Geometry public: // Maximum number of points in feature that can fit into String static const uint32 max_n_points= - (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) / + (uint32) (INT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) / POINT_DATA_SIZE; public: Geometry() {} /* Remove gcc warning */ -- cgit v1.2.1 From 2cd7cf8fe6fa41fca124c9239468fc22f8df9957 Mon Sep 17 00:00:00 2001 From: unknown Date: Mon, 18 Mar 2013 15:07:52 +0200 Subject: MDEV-4269 fix. Item_default_value inherited form Item_field so should create temporary table field similary. --- sql/sql_select.cc | 1 + 1 file changed, 1 insertion(+) (limited to 'sql') diff --git a/sql/sql_select.cc b/sql/sql_select.cc index bc8b7a9e815..24ca1ab0174 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -9922,6 +9922,7 @@ Field *create_tmp_field(THD *thd, TABLE *table,Item *item, Item::Type type, } case Item::FIELD_ITEM: case Item::DEFAULT_VALUE_ITEM: + case Item::INSERT_VALUE_ITEM: { Item_field *field= (Item_field*) item; bool orig_modify= modify_item; -- cgit v1.2.1 From 15a7335d77d056e860a9fdc844343c840e310e68 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Tue, 19 Mar 2013 17:16:10 +0400 Subject: MDEV-4296 Assertion `n_linear_rings > 0' fails in Gis_polygon::centroid_xy. Forgotten DBUG_ASSERT should be replaced with the 'return error'. --- sql/spatial.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'sql') diff --git a/sql/spatial.cc b/sql/spatial.cc index 5a4b768140c..afaa67763e8 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -972,13 +972,11 @@ int Gis_polygon::centroid_xy(double *x, double *y) const const char *data= m_data; bool first_loop= 1; - if (no_data(data, 4)) + if (no_data(data, 4) || + (n_linear_rings= uint4korr(data)) == 0) return 1; - n_linear_rings= uint4korr(data); data+= 4; - DBUG_ASSERT(n_linear_rings > 0); - while (n_linear_rings--) { uint32 n_points, org_n_points; -- cgit v1.2.1 From ef737284b416292d21837d7dedbffe66a4b4b8d4 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Tue, 19 Mar 2013 17:25:58 +0400 Subject: MDEV-4295 Server crashes in get_point on a query with Area, AsBinary, MultiPoint. Need to check if the number of points is 0 for the polygon. --- sql/spatial.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sql') diff --git a/sql/spatial.cc b/sql/spatial.cc index afaa67763e8..52110960f96 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -868,7 +868,7 @@ int Gis_polygon::area(double *ar, const char **end_of_data) const if (no_data(data, 4)) return 1; n_points= uint4korr(data); - if (n_points > max_n_points || + if (n_points == 0 || n_points > max_n_points || no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) return 1; get_point(&prev_x, &prev_y, data+4); @@ -989,7 +989,7 @@ int Gis_polygon::centroid_xy(double *x, double *y) const return 1; org_n_points= n_points= uint4korr(data); data+= 4; - if (n_points > max_n_points || + if (n_points == 0 || n_points > max_n_points || no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points)) return 1; get_point(&prev_x, &prev_y, data); -- cgit v1.2.1 From 1be429561723dc20ff7f4f1739eb0580cf70564b Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 20 Mar 2013 16:13:00 +0100 Subject: MDEV-4293 Valgrind warnings (Conditional jump or move depends on uninitialised value) in remove_eq_conds on time functions with NULL argument val_int() is expected to return 0 for NULL's --- sql/item_timefunc.cc | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'sql') diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc index 9f2f9b2950d..a3b7611ba69 100644 --- a/sql/item_timefunc.cc +++ b/sql/item_timefunc.cc @@ -856,16 +856,14 @@ longlong Item_func_dayofmonth::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_date(<ime, TIME_FUZZY_DATE); - return (longlong) ltime.day; + return get_arg0_date(<ime, TIME_FUZZY_DATE) ? 0 : (longlong) ltime.day; } longlong Item_func_month::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_date(<ime, TIME_FUZZY_DATE); - return (longlong) ltime.month; + return get_arg0_date(<ime, TIME_FUZZY_DATE) ? 0 : (longlong) ltime.month; } @@ -919,16 +917,14 @@ longlong Item_func_hour::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_time(<ime); - return ltime.hour; + return get_arg0_time(<ime) ? 0 : ltime.hour; } longlong Item_func_minute::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_time(<ime); - return ltime.minute; + return get_arg0_time(<ime) ? 0 : ltime.minute; } /** @@ -938,8 +934,7 @@ longlong Item_func_second::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_time(<ime); - return ltime.second; + return get_arg0_time(<ime) ? 0 : ltime.second; } @@ -1056,8 +1051,7 @@ longlong Item_func_year::val_int() { DBUG_ASSERT(fixed == 1); MYSQL_TIME ltime; - (void) get_arg0_date(<ime, TIME_FUZZY_DATE); - return (longlong) ltime.year; + return get_arg0_date(<ime, TIME_FUZZY_DATE) ? 0 : (longlong) ltime.year; } -- cgit v1.2.1 From 2b89b0a271fb9d32ad8a509bd8774a5059a8a480 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Fri, 22 Mar 2013 17:32:27 +0400 Subject: MDEV-4310 geometry function equals hangs forever. The Geometry::get_mbr() function can return an error on a bad data. We have to check for that and act respectively. --- sql/item_geofunc.cc | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'sql') diff --git a/sql/item_geofunc.cc b/sql/item_geofunc.cc index ba330ba3b96..7d0f06d6237 100644 --- a/sql/item_geofunc.cc +++ b/sql/item_geofunc.cc @@ -685,12 +685,11 @@ longlong Item_func_spatial_rel::val_int() if ((null_value= (args[0]->null_value || args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || - !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length()))))) + !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || + g1->get_mbr(&mbr1, &c_end) || + g2->get_mbr(&mbr2, &c_end)))) goto exit; - g1->get_mbr(&mbr1, &c_end); - g2->get_mbr(&mbr2, &c_end); - umbr= mbr1; umbr.add_mbr(&mbr2); collector.set_extent(umbr.xmin, umbr.xmax, umbr.ymin, umbr.ymax); @@ -824,14 +823,14 @@ String *Item_func_spatial_operation::val_str(String *str_value) if ((null_value= (args[0]->null_value || args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || - !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length()))))) + !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || + g1->get_mbr(&mbr1, &c_end) || + g2->get_mbr(&mbr2, &c_end)))) { str_value= 0; goto exit; } - g1->get_mbr(&mbr1, &c_end); - g2->get_mbr(&mbr2, &c_end); mbr1.add_mbr(&mbr2); collector.set_extent(mbr1.xmin, mbr1.xmax, mbr1.ymin, mbr1.ymax); @@ -1356,11 +1355,11 @@ longlong Item_func_issimple::val_int() DBUG_ENTER("Item_func_issimple::val_int"); DBUG_ASSERT(fixed == 1); - if ((null_value= args[0]->null_value) || - !(g= Geometry::construct(&buffer, swkb->ptr(), swkb->length()))) + if ((null_value= (args[0]->null_value || + !(g= Geometry::construct(&buffer, swkb->ptr(), swkb->length())) || + g->get_mbr(&mbr, &c_end)))) DBUG_RETURN(0); - g->get_mbr(&mbr, &c_end); collector.set_extent(mbr.xmin, mbr.xmax, mbr.ymin, mbr.ymax); if (g->get_class_info()->m_type_id == Geometry::wkb_point) @@ -1596,11 +1595,11 @@ double Item_func_distance::val_real() if ((null_value= (args[0]->null_value || args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || - !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length()))))) + !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || + g1->get_mbr(&mbr1, &c_end) || + g2->get_mbr(&mbr2, &c_end)))) goto mem_error; - g1->get_mbr(&mbr1, &c_end); - g2->get_mbr(&mbr2, &c_end); mbr1.add_mbr(&mbr2); collector.set_extent(mbr1.xmin, mbr1.xmax, mbr1.ymin, mbr1.ymax); -- cgit v1.2.1 From 51a707486433d3707ac38deb72c6ad7d3d7bb882 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 26 Mar 2013 13:07:46 +0200 Subject: MDEV-4292 fix. Fixed printing column_get finction. --- sql/item_strfunc.cc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'sql') diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 71526c433ed..f8da7cc094c 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -4246,11 +4246,16 @@ null: void Item_dyncol_get::print(String *str, enum_query_type query_type) { + /* see create_func_dyncol_get */ + DBUG_ASSERT(str->length() >= 5); + DBUG_ASSERT(strncmp(str->ptr() + str->length() - 5, "cast(", 5) == 0); + + str->length(str->length() - 5); // removing "cast(" str->append(STRING_WITH_LEN("column_get(")); args[0]->print(str, query_type); str->append(','); args[1]->print(str, query_type); - str->append(')'); + /* let the parent cast item add " as )" */ } -- cgit v1.2.1 From 045c498691f77ac8e0d8c8b9b705325b3425c69d Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Tue, 26 Mar 2013 21:47:06 +0400 Subject: GEOMETRYCOLLECTION EMPTY handling fixed. The get_mbr() method shouldn't return the error, rather an invalid MBR in this case. --- sql/item_geofunc.cc | 12 ++++++------ sql/spatial.cc | 19 ++++++++++++++----- sql/spatial.h | 3 +++ 3 files changed, 23 insertions(+), 11 deletions(-) (limited to 'sql') diff --git a/sql/item_geofunc.cc b/sql/item_geofunc.cc index 7d0f06d6237..1168813e275 100644 --- a/sql/item_geofunc.cc +++ b/sql/item_geofunc.cc @@ -559,8 +559,8 @@ longlong Item_func_spatial_mbr_rel::val_int() args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || - g1->get_mbr(&mbr1, &dummy) || - g2->get_mbr(&mbr2, &dummy)))) + g1->get_mbr(&mbr1, &dummy) || !mbr1.valid() || + g2->get_mbr(&mbr2, &dummy) || !mbr2.valid()))) return 0; switch (spatial_rel) { @@ -686,8 +686,8 @@ longlong Item_func_spatial_rel::val_int() (args[0]->null_value || args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || - g1->get_mbr(&mbr1, &c_end) || - g2->get_mbr(&mbr2, &c_end)))) + g1->get_mbr(&mbr1, &c_end) || !mbr1.valid() || + g2->get_mbr(&mbr2, &c_end) || !mbr2.valid()))) goto exit; umbr= mbr1; @@ -824,8 +824,8 @@ String *Item_func_spatial_operation::val_str(String *str_value) (args[0]->null_value || args[1]->null_value || !(g1= Geometry::construct(&buffer1, res1->ptr(), res1->length())) || !(g2= Geometry::construct(&buffer2, res2->ptr(), res2->length())) || - g1->get_mbr(&mbr1, &c_end) || - g2->get_mbr(&mbr2, &c_end)))) + g1->get_mbr(&mbr1, &c_end) || !mbr1.valid() || + g2->get_mbr(&mbr2, &c_end) || !mbr2.valid()))) { str_value= 0; goto exit; diff --git a/sql/spatial.cc b/sql/spatial.cc index 0da2fdf40b3..cec6150c22a 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -308,6 +308,9 @@ bool Geometry::envelope(String *result) const const char *end; if (get_mbr(&mbr, &end)) + return 1; + + if (!mbr.valid()) { /* Empty geometry */ if (result->reserve(1 + 4*2)) @@ -2322,7 +2325,7 @@ bool Gis_geometry_collection::get_mbr(MBR *mbr, const char **end) const n_objects= uint4korr(data); data+= 4; if (n_objects == 0) - return 1; + goto exit; while (n_objects--) { @@ -2339,6 +2342,7 @@ bool Gis_geometry_collection::get_mbr(MBR *mbr, const char **end) const if (geom->get_mbr(mbr, &data)) return 1; } +exit: *end= data; return 0; } @@ -2356,10 +2360,11 @@ int Gis_geometry_collection::area(double *ar, const char **end) const return 1; n_objects= uint4korr(data); data+= 4; - if (n_objects == 0) - return 1; result= 0.0; + if (n_objects == 0) + goto exit; + while (n_objects--) { uint32 wkb_type; @@ -2376,6 +2381,7 @@ int Gis_geometry_collection::area(double *ar, const char **end) const return 1; result+= *ar; } +exit: *end= data; *ar= result; return 0; @@ -2394,10 +2400,11 @@ int Gis_geometry_collection::geom_length(double *len, const char **end) const return 1; n_objects= uint4korr(data); data+= 4; + result= 0.0; + if (n_objects == 0) - return 1; + goto exit; - result= 0.0; while (n_objects--) { uint32 wkb_type; @@ -2414,6 +2421,8 @@ int Gis_geometry_collection::geom_length(double *len, const char **end) const return 1; result+= *len; } + +exit: *end= data; *len= result; return 0; diff --git a/sql/spatial.h b/sql/spatial.h index 6850cc804d0..1108f5d5e50 100644 --- a/sql/spatial.h +++ b/sql/spatial.h @@ -199,6 +199,9 @@ struct MBR return (d == intersection.dimension()); } + + int valid() const + { return xmin <= xmax && ymin <= ymax; } }; -- cgit v1.2.1