Skip to content

Commit

Permalink
Bug#55531 crash with conversions of geometry types / strings
Browse files Browse the repository at this point in the history 
Convertion from a floating point number to a string caused a
crash.

During rare circumstances a String object could crash when
it was requested to allocate new memory.
A crash could occcur in Field_double::val_str() because of
a pointer referencing memory inside a String object which was
of unknown size.
And finally, the geometric collection should not accept
arguments which are non geometric.
  • Loading branch information
Kristofer Pettersson committed Sep 7, 2010
1 parent 947c7f3 commit 5caea4a
Showing 4 changed files with 49 additions and 74 deletions.
60 changes: 5 additions & 55 deletions mysql-test/r/gis.result
View file
Original file line number Diff line number Diff line change
@@ -707,10 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL,
area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL,
y(b) IS NULL
from t1;
geometryfromtext(b) IS NULL geometryfromwkb(b) IS NULL astext(b) IS NULL aswkb(b) IS NULL geometrytype(b) IS NULL centroid(b) IS NULL envelope(b) IS NULL startpoint(b) IS NULL endpoint(b) IS NULL exteriorring(b) IS NULL pointn(b, 1) IS NULL geometryn(b, 1) IS NULL interiorringn(b, 1) IS NULL multipoint(b) IS NULL isempty(b) IS NULL issimple(b) IS NULL isclosed(b) IS NULL dimension(b) IS NULL numgeometries(b) IS NULL numinteriorrings(b) IS NULL numpoints(b) IS NULL area(b) IS NULL glength(b) IS NULL srid(b) IS NULL x(b) IS NULL y(b) IS NULL
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
ERROR 22007: Illegal non geometric '' value found during parsing
select
within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL,
equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL,
@@ -725,10 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS
multilinestring(b) IS NULL, multipolygon(b) IS NULL,
geometrycollection(b) IS NULL
from t1;
point(b, b) IS NULL linestring(b) IS NULL polygon(b) IS NULL multipoint(b) IS NULL multilinestring(b) IS NULL multipolygon(b) IS NULL geometrycollection(b) IS NULL
0 1 1 1 1 1 1
1 1 1 1 1 1 1
0 1 1 1 1 1 1
ERROR 22007: Illegal non geometric '' value found during parsing
drop table t1;
CREATE TABLE t1(a POINT) ENGINE=MyISAM;
INSERT INTO t1 VALUES (NULL);
@@ -1010,51 +1004,7 @@ f5 datetime YES NULL
drop view v1;
drop table t1;
SELECT MultiPoint(12345,'');
MultiPoint(12345,'')
NULL
SELECT MultiPoint(123451,'');
MultiPoint(123451,'')
NULL
SELECT MultiPoint(1234512,'');
MultiPoint(1234512,'')
NULL
SELECT MultiPoint(12345123,'');
MultiPoint(12345123,'')
NULL
SELECT MultiLineString(12345,'');
MultiLineString(12345,'')
NULL
SELECT MultiLineString(123451,'');
MultiLineString(123451,'')
NULL
SELECT MultiLineString(1234512,'');
MultiLineString(1234512,'')
NULL
SELECT MultiLineString(12345123,'');
MultiLineString(12345123,'')
NULL
SELECT LineString(12345,'');
LineString(12345,'')
NULL
SELECT LineString(123451,'');
LineString(123451,'')
NULL
SELECT LineString(1234512,'');
LineString(1234512,'')
NULL
SELECT LineString(12345123,'');
LineString(12345123,'')
NULL
SELECT Polygon(12345,'');
Polygon(12345,'')
NULL
SELECT Polygon(123451,'');
Polygon(123451,'')
NULL
SELECT Polygon(1234512,'');
Polygon(1234512,'')
NULL
SELECT Polygon(12345123,'');
Polygon(12345123,'')
NULL
ERROR 22007: Illegal non geometric '12345' value found during parsing
SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b));
ERROR 22007: Illegal non geometric '' value found during parsing
End of 5.1 tests
48 changes: 30 additions & 18 deletions mysql-test/t/gis.test
View file
Original file line number Diff line number Diff line change
@@ -401,6 +401,7 @@ create table t1 (a int, b blob);
insert into t1 values (1, ''), (2, NULL), (3, '1');
select * from t1;

--error ER_ILLEGAL_VALUE_FOR_TYPE
select
geometryfromtext(b) IS NULL, geometryfromwkb(b) IS NULL, astext(b) IS NULL,
aswkb(b) IS NULL, geometrytype(b) IS NULL, centroid(b) IS NULL,
@@ -419,6 +420,7 @@ select
intersects(b, b) IS NULL, crosses(b, b) IS NULL
from t1;

--error ER_ILLEGAL_VALUE_FOR_TYPE
select
point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS NULL,
multilinestring(b) IS NULL, multipolygon(b) IS NULL,
@@ -702,24 +704,34 @@ drop table t1;
# Bug#44684: valgrind reports invalid reads in
# Item_func_spatial_collection::val_str
#
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT MultiPoint(12345,'');
SELECT MultiPoint(123451,'');
SELECT MultiPoint(1234512,'');
SELECT MultiPoint(12345123,'');

SELECT MultiLineString(12345,'');
SELECT MultiLineString(123451,'');
SELECT MultiLineString(1234512,'');
SELECT MultiLineString(12345123,'');

SELECT LineString(12345,'');
SELECT LineString(123451,'');
SELECT LineString(1234512,'');
SELECT LineString(12345123,'');

SELECT Polygon(12345,'');
SELECT Polygon(123451,'');
SELECT Polygon(1234512,'');
SELECT Polygon(12345123,'');
#SELECT MultiPoint(123451,'');
#SELECT MultiPoint(1234512,'');
#SELECT MultiPoint(12345123,'');

--error ER_ILLEGAL_VALUE_FOR_TYPE
#SELECT MultiLineString(12345,'');
#SELECT MultiLineString(123451,'');
#SELECT MultiLineString(1234512,'');
#SELECT MultiLineString(12345123,'');

--error ER_ILLEGAL_VALUE_FOR_TYPE
#SELECT LineString(12345,'');
#SELECT LineString(123451,'');
#SELECT LineString(1234512,'');
#SELECT LineString(12345123,'');

--error ER_ILLEGAL_VALUE_FOR_TYPE
#SELECT Polygon(12345,'');
#SELECT Polygon(123451,'');
#SELECT Polygon(1234512,'');
#SELECT Polygon(12345123,'');

#
# Bug55531 crash with conversions of geometry types / strings
#
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b));

--echo End of 5.1 tests
2 changes: 1 addition & 1 deletion sql/field.cc
View file
Original file line number Diff line number Diff line change
@@ -4561,7 +4561,7 @@ String *Field_double::val_str(String *val_buffer,
#endif
doubleget(nr,ptr);

uint to_length=max(field_length, DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE);
uint to_length= DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE;
val_buffer->alloc(to_length);
char *to=(char*) val_buffer->ptr();

13 changes: 13 additions & 0 deletions sql/item_geofunc.h
View file
Original file line number Diff line number Diff line change
@@ -175,6 +175,19 @@ class Item_func_spatial_collection: public Item_geometry_func
item_type=it;
}
String *val_str(String *);
void fix_length_and_dec()
{
for( unsigned int i=0; i<arg_count; ++i)
{
if( args[i]->fixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY)
{
String str;
args[i]->val_str(&str);
my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr());
}
}
}

const char *func_name() const { return "multipoint"; }
};

0 comments on commit 5caea4a

Please sign in to comment.