Bug#44684: valgrind reports invalid reads in

Item_func_spatial_collection::val_str When the concatenation function for geometry data collections reads the binary data it was not rigorous in checking that there is data available, leading to invalid reads and crashes. Fixed by making checking stricter.
2025-08-07 00:04:31 +03:00 · 2009-06-17 16:58:33 +02:00
parent eecf06873e
commit e33e01e516
3 changed files with 82 additions and 3 deletions
--- a/mysql-test/r/gis.result
+++ b/mysql-test/r/gis.result
@@ -984,4 +984,52 @@ f4	geometry	YES		NULL
 f5	datetime	YES		NULL	
 drop view v1;
 drop table t1;
+SELECT MultiPoint(12345,'');
+MultiPoint(12345,'')
+NULL
+SELECT MultiPoint(123451,'');
+MultiPoint(123451,'')
+NULL
+SELECT MultiPoint(1234512,'');
+MultiPoint(1234512,'')
+NULL
+SELECT MultiPoint(12345123,'');
+MultiPoint(12345123,'')
+NULL
+SELECT MultiLineString(12345,'');
+MultiLineString(12345,'')
+NULL
+SELECT MultiLineString(123451,'');
+MultiLineString(123451,'')
+NULL
+SELECT MultiLineString(1234512,'');
+MultiLineString(1234512,'')
+NULL
+SELECT MultiLineString(12345123,'');
+MultiLineString(12345123,'')
+NULL
+SELECT LineString(12345,'');
+LineString(12345,'')
+NULL
+SELECT LineString(123451,'');
+LineString(123451,'')
+NULL
+SELECT LineString(1234512,'');
+LineString(1234512,'')
+NULL
+SELECT LineString(12345123,'');
+LineString(12345123,'')
+NULL
+SELECT Polygon(12345,'');
+Polygon(12345,'')
+NULL
+SELECT Polygon(123451,'');
+Polygon(123451,'')
+NULL
+SELECT Polygon(1234512,'');
+Polygon(1234512,'')
+NULL
+SELECT Polygon(12345123,'');
+Polygon(12345123,'')
+NULL
 End of 5.1 tests
--- a/mysql-test/t/gis.test
+++ b/mysql-test/t/gis.test
@@ -667,4 +667,28 @@ desc v1;
 drop view v1;
 drop table t1;

+#
+# Bug#44684: valgrind reports invalid reads in 
+# Item_func_spatial_collection::val_str
+#
+SELECT MultiPoint(12345,'');
+SELECT MultiPoint(123451,'');
+SELECT MultiPoint(1234512,'');
+SELECT MultiPoint(12345123,'');
+
+SELECT MultiLineString(12345,'');
+SELECT MultiLineString(123451,'');
+SELECT MultiLineString(1234512,'');
+SELECT MultiLineString(12345123,'');
+
+SELECT LineString(12345,'');
+SELECT LineString(123451,'');
+SELECT LineString(1234512,'');
+SELECT LineString(12345123,'');
+
+SELECT Polygon(12345,'');
+SELECT Polygon(123451,'');
+SELECT Polygon(1234512,'');
+SELECT Polygon(12345123,'');
+
 --echo End of 5.1 tests
--- a/sql/item_geofunc.cc
+++ b/sql/item_geofunc.cc
@@ -416,7 +416,10 @@ String *Item_func_spatial_collection::val_str(String *str)
    else
    {
      enum Geometry::wkbType wkb_type;
-      const char *data= res->ptr() + 4/*SRID*/ + 1;
+      const uint data_offset= 4/*SRID*/ + 1;
+      if (res->length() < data_offset + sizeof(uint32))
+        goto err;
+      const char *data= res->ptr() + data_offset;

      /*
 	In the case of named collection we must check that items
@@ -439,7 +442,7 @@ String *Item_func_spatial_collection::val_str(String *str)
 	break;

      case Geometry::wkb_linestring:
-	if (str->append(data, POINT_DATA_SIZE, 512))
+	if (len < POINT_DATA_SIZE || str->append(data, POINT_DATA_SIZE, 512))
 	  goto err;
 	break;
      case Geometry::wkb_polygon:
@@ -448,11 +451,15 @@ String *Item_func_spatial_collection::val_str(String *str)
 	double x1, y1, x2, y2;
 	const char *org_data= data;

-	if (len < 4 + 2 * POINT_DATA_SIZE)
+	if (len < 4)
 	  goto err;

 	n_points= uint4korr(data);
 	data+= 4;
+
+        if (n_points < 2 || len < 4 + n_points * POINT_DATA_SIZE)
+          goto err;
+        
 	float8get(x1, data);
 	data+= SIZEOF_STORED_DOUBLE;
 	float8get(y1, data);