database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-08 11:22:35 +03:00
Code Activity

MDEV-4252 geometry query crashes server.

Browse Source 
The bug was found by Alyssa Milburn.
      If the number of points of a geometry feature read from
      binary representation is greater than 0x10000000, then
      the (uint32) (num_points * 16) will cut the higher byte,
      which leads to various errors.
      Fixed by additional check if (num_points > max_n_points).
This commit is contained in:
Alexey Botchkov
2013-03-10 23:08:05 +04:00
parent 027e34e13b
commit 511b943263
4 changed files with 27 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
sql/spatial.h
View File

@@ -196,6 +196,11 @@ struct Geometry_buffer;
class Geometry
{
public:
// Maximum number of points in feature that can fit into String
static const uint32 max_n_points=
(uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
POINT_DATA_SIZE;
public:
Geometry() {} /* Remove gcc warning */
virtual ~Geometry() {} /* Remove gcc warning */
@@ -379,10 +384,6 @@ public:
class Gis_line_string: public Geometry
{
// Maximum number of points in LineString that can fit into String
static const uint32 max_n_points=
(uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
POINT_DATA_SIZE;
public:
Gis_line_string() {} /* Remove gcc warning */
virtual ~Gis_line_string() {} /* Remove gcc warning */