Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash

   the Point() and Linestring() functions create WKB representation of an
   object instead of an real geometry object.
   That produced bugs when these were inserted into tables.

   GIS tests fixed accordingly.
            
per-file messages:
  mysql-test/r/gis-rtree.result
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test result
  mysql-test/r/gis.result
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test result
  mysql-test/t/gis-rtree.test
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test fixed - GeomFromWKB invocations removed
  mysql-test/t/gis.test
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
    test fixed - AsWKB invocations added
  sql/item_geofunc.cc
Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
     Point() and similar functions to create a proper object

1 files changed, 19 insertions, 8 deletions

diff --git a/sql/item_geofunc.cc b/sql/item_geofunc.cc
index d088f68fc0c..71bd1347f6e 100644
--- a/sql/item_geofunc.cc
+++ b/sql/item_geofunc.cc
@@ -70,10 +70,17 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
 {
   DBUG_ASSERT(fixed == 1);
   String arg_val;
-  String *wkb= args[0]->val_str(&arg_val);
+  String *wkb;
   Geometry_buffer buffer;
   uint32 srid= 0;
 
+  if (args[0]->field_type() == MYSQL_TYPE_GEOMETRY)
+  {
+    return args[0]->val_str(str);
+  }
+
+  wkb= args[0]->val_str(&arg_val);
+
   if ((arg_count == 2) && !args[1]->null_value)
     srid= (uint32)args[1]->val_int();
 
@@ -83,8 +90,8 @@ String *Item_func_geometry_from_wkb::val_str(String *str)
   str->length(0);
   str->q_append(srid);
   if ((null_value= 
-       (args[0]->null_value ||
-        !Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
+        (args[0]->null_value ||
+         !Geometry::create_from_wkb(&buffer, wkb->ptr(), wkb->length(), str))))
     return 0;
   return str;
 }
@@ -337,14 +344,16 @@ String *Item_func_point::val_str(String *str)
   DBUG_ASSERT(fixed == 1);
   double x= args[0]->val_real();
   double y= args[1]->val_real();
+  uint32 srid= 0;
 
   if ((null_value= (args[0]->null_value ||
 		    args[1]->null_value ||
-		    str->realloc(1 + 4 + SIZEOF_STORED_DOUBLE*2))))
+                    str->realloc(4/*SRID*/ + 1 + 4 + SIZEOF_STORED_DOUBLE*2))))
     return 0;
 
   str->set_charset(&my_charset_bin);
   str->length(0);
+  str->q_append(srid);
   str->q_append((char)Geometry::wkb_ndr);
   str->q_append((uint32)Geometry::wkb_point);
   str->q_append(x);
@@ -368,12 +377,14 @@ String *Item_func_spatial_collection::val_str(String *str)
   DBUG_ASSERT(fixed == 1);
   String arg_value;
   uint i;
+  uint32 srid= 0;
 
   str->set_charset(&my_charset_bin);
   str->length(0);
-  if (str->reserve(1 + 4 + 4, 512))
+  if (str->reserve(4/*SRID*/ + 1 + 4 + 4, 512))
     goto err;
 
+  str->q_append(srid);
   str->q_append((char) Geometry::wkb_ndr);
   str->q_append((uint32) coll_type);
   str->q_append((uint32) arg_count);
@@ -391,13 +402,13 @@ String *Item_func_spatial_collection::val_str(String *str)
 	In the case of GeometryCollection we don't need any checkings
 	for item types, so just copy them into target collection
       */
-      if (str->append(res->ptr(), len, (uint32) 512))
+      if (str->append(res->ptr() + 4/*SRID*/, len - 4/*SRID*/, (uint32) 512))
         goto err;
     }
     else
     {
       enum Geometry::wkbType wkb_type;
-      const char *data= res->ptr() + 1;
+      const char *data= res->ptr() + 4/*SRID*/ + 1;
 
       /*
 	In the case of named collection we must check that items
@@ -406,7 +417,7 @@ String *Item_func_spatial_collection::val_str(String *str)
 
       wkb_type= (Geometry::wkbType) uint4korr(data);
       data+= 4;
-      len-= 5;
+      len-= 5 + 4/*SRID*/;
       if (wkb_type != item_type)
         goto err;