From 511b9432637510617b04bde92c51a184c1e3aea8 Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Sun, 10 Mar 2013 23:08:05 +0400
Subject: MDEV-4252 geometry query crashes server.       The bug was found by
 Alyssa Milburn.       If the number of points of a geometry feature read from
       binary representation is greater than 0x10000000, then       the
 (uint32) (num_points * 16) will cut the higher byte,       which leads to
 various errors.       Fixed by additional check if (num_points >
 max_n_points).

---
 sql/spatial.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'sql/spatial.h')

diff --git a/sql/spatial.h b/sql/spatial.h
index 20b3856ca9a..7d254252b3f 100644
--- a/sql/spatial.h
+++ b/sql/spatial.h
@@ -196,6 +196,11 @@ struct Geometry_buffer;
 
 class Geometry
 {
+public:
+  // Maximum number of points in feature that can fit into String
+  static const uint32 max_n_points=
+    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    POINT_DATA_SIZE;
 public:
   Geometry() {}                               /* Remove gcc warning */
   virtual ~Geometry() {}                        /* Remove gcc warning */
@@ -379,10 +384,6 @@ public:
 
 class Gis_line_string: public Geometry
 {
-  // Maximum number of points in LineString that can fit into String
-  static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
-    POINT_DATA_SIZE;
 public:
   Gis_line_string() {}                        /* Remove gcc warning */
   virtual ~Gis_line_string() {}               /* Remove gcc warning */
-- 
cgit v1.2.1


From 589247ae86b25eaa9bd75e4f26ecd06831469311 Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Mon, 18 Mar 2013 17:58:00 +0400
Subject: MDEV-4252 geometry query crashes server.     Additional fixes for
 possible overflows in length-related     calculations in 'spatial'
 implementations.     Checks added to the ::get_data_size() methods.    
 max_n_points decreased to occupy less 2G size. An     object of that size is
 practically inoperable anyway.

---
 sql/spatial.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sql/spatial.h')

diff --git a/sql/spatial.h b/sql/spatial.h
index 7d254252b3f..d7632c11143 100644
--- a/sql/spatial.h
+++ b/sql/spatial.h
@@ -199,7 +199,7 @@ class Geometry
 public:
   // Maximum number of points in feature that can fit into String
   static const uint32 max_n_points=
-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    (uint32) (INT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
     POINT_DATA_SIZE;
 public:
   Geometry() {}                               /* Remove gcc warning */
-- 
cgit v1.2.1


From 045c498691f77ac8e0d8c8b9b705325b3425c69d Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Tue, 26 Mar 2013 21:47:06 +0400
Subject: GEOMETRYCOLLECTION EMPTY handling fixed.           The get_mbr()
 method shouldn't return the error, rather an invalid MBR           in this
 case.

---
 sql/spatial.h | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'sql/spatial.h')

diff --git a/sql/spatial.h b/sql/spatial.h
index 6850cc804d0..1108f5d5e50 100644
--- a/sql/spatial.h
+++ b/sql/spatial.h
@@ -199,6 +199,9 @@ struct MBR
 
     return (d == intersection.dimension());
   }
+
+  int valid() const
+  { return xmin <= xmax && ymin <= ymax; }
 };
 
 
-- 
cgit v1.2.1