diff options
Diffstat (limited to 'sql/spatial.cc')
| -rw-r--r-- | sql/spatial.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sql/spatial.cc b/sql/spatial.cc index 894f2a1dae5..3b98ff2a1b6 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -507,12 +507,13 @@ uint Gis_line_string::init_from_wkb(const char *wkb, uint len, const char *wkb_end; Gis_point p; - if (len < 4) + if (len < 4 || + (n_points= wkb_get_uint(wkb, bo)) < 1 || + n_points > max_n_points) return 0; - n_points= wkb_get_uint(wkb, bo); proper_length= 4 + n_points * POINT_DATA_SIZE; - if (!n_points || len < proper_length || res->reserve(proper_length)) + if (len < proper_length || res->reserve(proper_length)) return 0; res->q_append(n_points); @@ -1054,9 +1055,9 @@ uint Gis_multi_point::init_from_wkb(const char *wkb, uint len, wkbByteOrder bo, Gis_point p; const char *wkb_end; - if (len < 4) + if (len < 4 || + (n_points= wkb_get_uint(wkb, bo)) > max_n_points) return 0; - n_points= wkb_get_uint(wkb, bo); proper_size= 4 + n_points * (WKB_HEADER_SIZE + POINT_DATA_SIZE); if (len < proper_size || res->reserve(proper_size)) |