MDEV-4252 geometry query crashes server.

      The bug was found by Alyssa Milburn.
      If the number of points of a geometry feature read from
      binary representation is greater than 0x10000000, then
      the (uint32) (num_points * 16) will cut the higher byte,
      which leads to various errors.
      Fixed by additional check if (num_points > max_n_points).

1 files changed, 5 insertions, 4 deletions

diff --git a/sql/spatial.h b/sql/spatial.h
index 20b3856ca9a..7d254252b3f 100644
--- a/sql/spatial.h
+++ b/sql/spatial.h
@@ -197,6 +197,11 @@ struct Geometry_buffer;
 class Geometry
 {
 public:
+  // Maximum number of points in feature that can fit into String
+  static const uint32 max_n_points=
+    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    POINT_DATA_SIZE;
+public:
   Geometry() {}                               /* Remove gcc warning */
   virtual ~Geometry() {}                        /* Remove gcc warning */
   static void *operator new(size_t size, void *buffer)
@@ -379,10 +384,6 @@ public:
 
 class Gis_line_string: public Geometry
 {
-  // Maximum number of points in LineString that can fit into String
-  static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
-    POINT_DATA_SIZE;
 public:
   Gis_line_string() {}                        /* Remove gcc warning */
   virtual ~Gis_line_string() {}               /* Remove gcc warning */