TODO-424 geometry query crashes server.

        The bug was found by Alyssa Milburn.
        If the number of points of a geometry feature read from
        binary representation is greater than 0x10000000, then
        the (uint32) (num_points * 16) will cut the higher byte,
        which leads to various errors.
        Fixed by additional check if (num_points > max_n_points).

1 files changed, 5 insertions, 4 deletions

diff --git a/sql/spatial.h b/sql/spatial.h
index 1277e7bc01c..f55d1ccba8e 100644
--- a/sql/spatial.h
+++ b/sql/spatial.h
@@ -210,6 +210,11 @@ struct Geometry_buffer;
 class Geometry
 {
 public:
+  // Maximum number of points in feature that can fit into String
+  static const uint32 max_n_points=
+    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    POINT_DATA_SIZE;
+
   Geometry() {}                               /* Remove gcc warning */
   virtual ~Geometry() {}                        /* Remove gcc warning */
   static void *operator new(size_t size, void *buffer)
@@ -391,10 +396,6 @@ public:
 
 class Gis_line_string: public Geometry
 {
-  // Maximum number of points in LineString that can fit into String
-  static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
-    POINT_DATA_SIZE;
 public:
   Gis_line_string() {}                        /* Remove gcc warning */
   virtual ~Gis_line_string() {}               /* Remove gcc warning */