summaryrefslogtreecommitdiff
path: root/sql/item_geofunc.cc
diff options
context:
space:
mode:
authorAlexey Botchkov <holyfoot@mysql.com>2009-04-28 14:47:26 +0500
committerAlexey Botchkov <holyfoot@mysql.com>2009-04-28 14:47:26 +0500
commit620fb880d7b45f67abc3edd20aed2aca11b039cd (patch)
tree4f8b3fb1aa025b84562771100388c2a790589804 /sql/item_geofunc.cc
parentdef04705986a9abad6927c0b52aaf63c136b546b (diff)
downloadmariadb-git-620fb880d7b45f67abc3edd20aed2aca11b039cd.tar.gz
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
the Point() and Linestring() functions create WKB representation of an object instead of an real geometry object. That produced bugs when these were inserted into tables. GIS tests fixed accordingly. per-file messages: mysql-test/r/gis-rtree.result Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash test result mysql-test/r/gis.result Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash test result mysql-test/t/gis-rtree.test Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash test fixed - GeomFromWKB invocations removed mysql-test/t/gis.test Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash test fixed - AsWKB invocations added sql/item_geofunc.cc Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash Point() and similar functions to create a proper object
Diffstat (limited to 'sql/item_geofunc.cc')
-rw-r--r--sql/item_geofunc.cc27
1 files changed, 19 insertions, 8 deletions
diff --git a/sql/item_geofunc.cc b/sql/item_geofunc.cc
index d088f68fc0c..71bd1347f6e 100644
--- a/sql/item_geofunc.cc
+++ b/sql/item_geofunc.cc
@@ -70,10 +70,17 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
{
DBUG_ASSERT(fixed == 1);
String arg_val;
- String *wkb= args[0]->val_str(&arg_val);
+ String *wkb;
Geometry_buffer buffer;
uint32 srid= 0;
+ if (args[0]->field_type() == MYSQL_TYPE_GEOMETRY)
+ {
+ return args[0]->val_str(str);
+ }
+
+ wkb= args[0]->val_str(&arg_val);
+
if ((arg_count == 2) && !args[1]->null_value)
srid= (uint32)args[1]->val_int();
@@ -83,8 +90,8 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
str->length(0);
str->q_append(srid);
if ((null_value=
- (args[0]->null_value ||
- !Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
+ (args[0]->null_value ||
+ !Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
return 0;
return str;
}
@@ -337,14 +344,16 @@ String *Item_func_point::val_str(String *str)
DBUG_ASSERT(fixed == 1);
double x= args[0]->val_real();
double y= args[1]->val_real();
+ uint32 srid= 0;
if ((null_value= (args[0]->null_value ||
args[1]->null_value ||
- str->realloc(1 + 4 + SIZEOF_STORED_DOUBLE*2))))
+ str->realloc(4/*SRID*/ + 1 + 4 + SIZEOF_STORED_DOUBLE*2))))
return 0;
str->set_charset(&my_charset_bin);
str->length(0);
+ str->q_append(srid);
str->q_append((char)Geometry::wkb_ndr);
str->q_append((uint32)Geometry::wkb_point);
str->q_append(x);
@@ -368,12 +377,14 @@ String *Item_func_spatial_collection::val_str(String *str)
DBUG_ASSERT(fixed == 1);
String arg_value;
uint i;
+ uint32 srid= 0;
str->set_charset(&my_charset_bin);
str->length(0);
- if (str->reserve(1 + 4 + 4, 512))
+ if (str->reserve(4/*SRID*/ + 1 + 4 + 4, 512))
goto err;
+ str->q_append(srid);
str->q_append((char) Geometry::wkb_ndr);
str->q_append((uint32) coll_type);
str->q_append((uint32) arg_count);
@@ -391,13 +402,13 @@ String *Item_func_spatial_collection::val_str(String *str)
In the case of GeometryCollection we don't need any checkings
for item types, so just copy them into target collection
*/
- if (str->append(res->ptr(), len, (uint32) 512))
+ if (str->append(res->ptr() + 4/*SRID*/, len - 4/*SRID*/, (uint32) 512))
goto err;
}
else
{
enum Geometry::wkbType wkb_type;
- const char *data= res->ptr() + 1;
+ const char *data= res->ptr() + 4/*SRID*/ + 1;
/*
In the case of named collection we must check that items
@@ -406,7 +417,7 @@ String *Item_func_spatial_collection::val_str(String *str)
wkb_type= (Geometry::wkbType) uint4korr(data);
data+= 4;
- len-= 5;
+ len-= 5 + 4/*SRID*/;
if (wkb_type != item_type)
goto err;