From 9a4a7cf184b40b203702043f886f9bd9c26592fd Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 11:37:46 +0200 Subject: [PATCH 1/2] Bug#55531 crash with conversions of geometry types / strings Convertion from a floating point number to a string caused a crash. During rare circumstances a String object could crash when it was requested to allocate new memory. A crash could occcur in Field_double::val_str() because of a pointer referencing memory inside a String object which was of unknown size. And finally, the geometric collection should not accept arguments which are non geometric. mysql-test/r/gis.result: * Test cases change because we intercept the error behind the previous crashes much earlier. sql/field.cc: * It makes no sense to impose a lower limit on the length and not setting a upper limit will cause crashes later. sql/item_geofunc.h: * Disallow for binding with field- and item types which differ from MYSQL_TYPE_GEOMETRY types. --- mysql-test/r/gis.result | 60 ++++------------------------------------- mysql-test/t/gis.test | 42 ++++++++++++++++++----------- sql/field.cc | 2 +- sql/item_geofunc.h | 13 +++++++++ 4 files changed, 46 insertions(+), 71 deletions(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 3e28227d542..565563237d1 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -707,10 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL, area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL, y(b) IS NULL from t1; -geometryfromtext(b) IS NULL geometryfromwkb(b) IS NULL astext(b) IS NULL aswkb(b) IS NULL geometrytype(b) IS NULL centroid(b) IS NULL envelope(b) IS NULL startpoint(b) IS NULL endpoint(b) IS NULL exteriorring(b) IS NULL pointn(b, 1) IS NULL geometryn(b, 1) IS NULL interiorringn(b, 1) IS NULL multipoint(b) IS NULL isempty(b) IS NULL issimple(b) IS NULL isclosed(b) IS NULL dimension(b) IS NULL numgeometries(b) IS NULL numinteriorrings(b) IS NULL numpoints(b) IS NULL area(b) IS NULL glength(b) IS NULL srid(b) IS NULL x(b) IS NULL y(b) IS NULL -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing select within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL, equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL, @@ -725,10 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS multilinestring(b) IS NULL, multipolygon(b) IS NULL, geometrycollection(b) IS NULL from t1; -point(b, b) IS NULL linestring(b) IS NULL polygon(b) IS NULL multipoint(b) IS NULL multilinestring(b) IS NULL multipolygon(b) IS NULL geometrycollection(b) IS NULL -0 1 1 1 1 1 1 -1 1 1 1 1 1 1 -0 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing drop table t1; CREATE TABLE t1(a POINT) ENGINE=MyISAM; INSERT INTO t1 VALUES (NULL); @@ -1010,51 +1004,7 @@ f5 datetime YES NULL drop view v1; drop table t1; SELECT MultiPoint(12345,''); -MultiPoint(12345,'') -NULL -SELECT MultiPoint(123451,''); -MultiPoint(123451,'') -NULL -SELECT MultiPoint(1234512,''); -MultiPoint(1234512,'') -NULL -SELECT MultiPoint(12345123,''); -MultiPoint(12345123,'') -NULL -SELECT MultiLineString(12345,''); -MultiLineString(12345,'') -NULL -SELECT MultiLineString(123451,''); -MultiLineString(123451,'') -NULL -SELECT MultiLineString(1234512,''); -MultiLineString(1234512,'') -NULL -SELECT MultiLineString(12345123,''); -MultiLineString(12345123,'') -NULL -SELECT LineString(12345,''); -LineString(12345,'') -NULL -SELECT LineString(123451,''); -LineString(123451,'') -NULL -SELECT LineString(1234512,''); -LineString(1234512,'') -NULL -SELECT LineString(12345123,''); -LineString(12345123,'') -NULL -SELECT Polygon(12345,''); -Polygon(12345,'') -NULL -SELECT Polygon(123451,''); -Polygon(123451,'') -NULL -SELECT Polygon(1234512,''); -Polygon(1234512,'') -NULL -SELECT Polygon(12345123,''); -Polygon(12345123,'') -NULL +ERROR 22007: Illegal non geometric '12345' value found during parsing +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); +ERROR 22007: Illegal non geometric '' value found during parsing End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index bc0695aaa93..5a367188163 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -401,6 +401,7 @@ create table t1 (a int, b blob); insert into t1 values (1, ''), (2, NULL), (3, '1'); select * from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select geometryfromtext(b) IS NULL, geometryfromwkb(b) IS NULL, astext(b) IS NULL, aswkb(b) IS NULL, geometrytype(b) IS NULL, centroid(b) IS NULL, @@ -419,6 +420,7 @@ select intersects(b, b) IS NULL, crosses(b, b) IS NULL from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS NULL, multilinestring(b) IS NULL, multipolygon(b) IS NULL, @@ -702,24 +704,34 @@ drop table t1; # Bug#44684: valgrind reports invalid reads in # Item_func_spatial_collection::val_str # +--error ER_ILLEGAL_VALUE_FOR_TYPE SELECT MultiPoint(12345,''); -SELECT MultiPoint(123451,''); -SELECT MultiPoint(1234512,''); -SELECT MultiPoint(12345123,''); +#SELECT MultiPoint(123451,''); +#SELECT MultiPoint(1234512,''); +#SELECT MultiPoint(12345123,''); -SELECT MultiLineString(12345,''); -SELECT MultiLineString(123451,''); -SELECT MultiLineString(1234512,''); -SELECT MultiLineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT MultiLineString(12345,''); +#SELECT MultiLineString(123451,''); +#SELECT MultiLineString(1234512,''); +#SELECT MultiLineString(12345123,''); -SELECT LineString(12345,''); -SELECT LineString(123451,''); -SELECT LineString(1234512,''); -SELECT LineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT LineString(12345,''); +#SELECT LineString(123451,''); +#SELECT LineString(1234512,''); +#SELECT LineString(12345123,''); -SELECT Polygon(12345,''); -SELECT Polygon(123451,''); -SELECT Polygon(1234512,''); -SELECT Polygon(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT Polygon(12345,''); +#SELECT Polygon(123451,''); +#SELECT Polygon(1234512,''); +#SELECT Polygon(12345123,''); + +# +# Bug55531 crash with conversions of geometry types / strings +# +--error ER_ILLEGAL_VALUE_FOR_TYPE +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); --echo End of 5.1 tests diff --git a/sql/field.cc b/sql/field.cc index 619e6a780da..724f8e0af73 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -4561,7 +4561,7 @@ String *Field_double::val_str(String *val_buffer, #endif doubleget(nr,ptr); - uint to_length=max(field_length, DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE); + uint to_length= DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE; val_buffer->alloc(to_length); char *to=(char*) val_buffer->ptr(); diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index edbe104e307..070c2cd26fc 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -175,6 +175,19 @@ public: item_type=it; } String *val_str(String *); + void fix_length_and_dec() + { + for( unsigned int i=0; ifixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) + { + String str; + args[i]->val_str(&str); + my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr()); + } + } + } + const char *func_name() const { return "multipoint"; } }; From 6d18ac0308be36cc819f498d57930976969e17f7 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 15:43:00 +0200 Subject: [PATCH 2/2] Post fix following fix for bug55531: Disabling testcase for bug 55568 because {1} isn't a valid geometry for a geometry collection. --- mysql-test/r/join.result | 35 -------------------------- mysql-test/t/join.test | 54 +++++++++++++++++++++------------------- 2 files changed, 29 insertions(+), 60 deletions(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index 9a8b441b363..96504df4b1e 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1185,41 +1185,6 @@ NULL 1 DROP TABLE t1, t2, mm1; # -# Bug #55568: user variable assignments crash server when used within -# query -# -CREATE TABLE t1 (a INT); -INSERT INTO t1 VALUES (0), (1); -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -DROP TABLE t1; -# # Bug #54468: crash after item's print() function when ordering/grouping # by subquery # diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 73a1ae5eb82..05d630edfb2 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,33 +851,37 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; ---echo # ---echo # Bug #55568: user variable assignments crash server when used within ---echo # query ---echo # +#--echo # +#--echo # Bug #55568: user variable assignments crash server when used within +#--echo # query +#--echo # +# +# +# This test case is invalidated because of fix of bug 55531 +# The reason is that {1} is not a valid geometric collection. +# +#CREATE TABLE t1 (a INT); -CREATE TABLE t1 (a INT); +#INSERT INTO t1 VALUES (0), (1); -INSERT INTO t1 VALUES (0), (1); - -let $i=2; -while ($i) -{ - SELECT MULTIPOINT( - 1, - ( - SELECT MULTIPOINT( - MULTIPOINT( - 1, - (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) - ) - ) FROM t1 - ) - ) != COUNT(*) q FROM t1 GROUP BY a; - dec $i; -} - -DROP TABLE t1; +#let $i=2; +#while ($i) +#{ +# SELECT MULTIPOINT( +# 1, +# ( +# SELECT MULTIPOINT( +# MULTIPOINT( +# 1, +# (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +# ) +# ) FROM t1 +# ) +# ) != COUNT(*) q FROM t1 GROUP BY a; +# dec $i; +#} +# +#DROP TABLE t1; --echo # --echo # Bug #54468: crash after item's print() function when ordering/grouping