From 5aec4e2b3bbcaea33d719e2e4e94665c4856e413 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <alexander.barkov@oracle.com>
Date: Fri, 17 Aug 2012 13:14:04 +0400
Subject: Backporting Bug 14100466 from 5.6.

---
 sql/spatial.cc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'sql/spatial.cc')

diff --git a/sql/spatial.cc b/sql/spatial.cc
index 0d2dd81c71e..07f28855987 100644
--- a/sql/spatial.cc
+++ b/sql/spatial.cc
@@ -525,12 +525,13 @@ uint Gis_line_string::init_from_wkb(const char *wkb, uint len,
   const char *wkb_end;
   Gis_point p;
 
-  if (len < 4)
+  if (len < 4 ||
+      (n_points= wkb_get_uint(wkb, bo)) < 1 ||
+      n_points > max_n_points)
     return 0;
-  n_points= wkb_get_uint(wkb, bo);
   proper_length= 4 + n_points * POINT_DATA_SIZE;
 
-  if (!n_points || len < proper_length || res->reserve(proper_length))
+  if (len < proper_length || res->reserve(proper_length))
     return 0;
 
   res->q_append(n_points);
@@ -1072,9 +1073,9 @@ uint Gis_multi_point::init_from_wkb(const char *wkb, uint len, wkbByteOrder bo,
   Gis_point p;
   const char *wkb_end;
 
-  if (len < 4)
+  if (len < 4 ||
+      (n_points= wkb_get_uint(wkb, bo)) > max_n_points)
     return 0;
-  n_points= wkb_get_uint(wkb, bo);
   proper_size= 4 + n_points * (WKB_HEADER_SIZE + POINT_DATA_SIZE);
  
   if (len < proper_size || res->reserve(proper_size))
-- 
cgit v1.2.1