From 44d88da575abd81bed9ef036c98de2d5b0862d0c Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Mon, 5 Mar 2012 21:58:07 +0400 Subject: [PATCH 1/2] Fix for BUG#12414917 - ISCLOSED() CRASHES ON 64-BIT BUILDS Problem: lack of incoming geometry data validation may lead to a server crash when ISCLOSED() function called. Solution: necessary incoming data check added. --- mysql-test/r/gis.result | 6 ++++++ mysql-test/t/gis.test | 7 +++++++ sql/spatial.cc | 3 ++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index acb55d225a7..9b901e0f93f 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -1075,4 +1075,10 @@ SPATIAL INDEX i1 (col1, col2) ); ERROR HY000: Incorrect arguments to SPATIAL INDEX DROP TABLE t0, t1, t2; +# +# BUG#12414917 - ISCLOSED() CRASHES ON 64-BIT BUILDS +# +SELECT ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))); +ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))) +NULL End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index f8cec14d9ae..fbd4c87cb97 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -812,4 +812,11 @@ CREATE TABLE t3 ( # cleanup DROP TABLE t0, t1, t2; + +--echo # +--echo # BUG#12414917 - ISCLOSED() CRASHES ON 64-BIT BUILDS +--echo # +SELECT ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))); + + --echo End of 5.1 tests diff --git a/sql/spatial.cc b/sql/spatial.cc index ed3d72b91ec..0d2dd81c71e 100644 --- a/sql/spatial.cc +++ b/sql/spatial.cc @@ -627,7 +627,8 @@ int Gis_line_string::is_closed(int *closed) const return 0; } data+= 4; - if (no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points)) + if (n_points == 0 || + no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points)) return 1; /* Get first point */ From 97c429f65b14335a3322c0c78700582e136607ec Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Mon, 5 Mar 2012 22:15:23 +0400 Subject: [PATCH 2/2] BUG#12537203 - CRASH WHEN SUBSELECTING GLOBAL VARIABLES IN GEOMETRY FUNCTION ARGUMENTS A defect in the subquery substitution code may lead to a server crash: setting substitution's name should be followed by setting its length (to keep them in sync). --- mysql-test/r/gis.result | 6 ++++++ mysql-test/t/gis.test | 7 +++++++ sql/item_subselect.cc | 1 + 3 files changed, 14 insertions(+) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 9b901e0f93f..9af100e479c 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -1081,4 +1081,10 @@ DROP TABLE t0, t1, t2; SELECT ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))); ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))) NULL +# +# BUG#12537203 - CRASH WHEN SUBSELECTING GLOBAL VARIABLES IN +# GEOMETRY FUNCTION ARGUMENTS +# +SELECT GEOMETRYCOLLECTION((SELECT @@OLD)); +ERROR 22007: Illegal non geometric '' value found during parsing End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index fbd4c87cb97..c2a1416f9a1 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -818,5 +818,12 @@ DROP TABLE t0, t1, t2; --echo # SELECT ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20))); +--echo # +--echo # BUG#12537203 - CRASH WHEN SUBSELECTING GLOBAL VARIABLES IN +--echo # GEOMETRY FUNCTION ARGUMENTS +--echo # +--error ER_ILLEGAL_VALUE_FOR_TYPE +SELECT GEOMETRYCOLLECTION((SELECT @@OLD)); + --echo End of 5.1 tests diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index e9e2e8bacf9..8335ae2ca8d 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -173,6 +173,7 @@ bool Item_subselect::fix_fields(THD *thd_param, Item **ref) (*ref)= substitution; substitution->name= name; + substitution->name_length= name_length; if (have_to_be_excluded) engine->exclude(); substitution= 0;