Skip to content

MDEV-39911: Crash in ST_SIMPLIFY of a collection geometry #5195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DaveGosselin-MariaDB wants to merge 1 commit into
base: 12.3
Choose a base branch
from
+46 −4
Open

MDEV-39911: Crash in ST_SIMPLIFY of a collection geometry #5195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions mysql-test/main/spatial_utility_function_simplify.result
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -557,5 +557,25 @@ SELECT ST_ASTEXT(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,0 10,10 10,10 0,0 0,0
ERROR HY000: Incorrect arguments to st_simplify
SELECT ST_ASTEXT(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,0 10,10 10,10 0,0 0,0 0,0 0,0 0))'), a));
ERROR 42S22: Unknown column 'a' in 'SELECT'
#
# MDEV-39911 Crash in ST_SIMPLIFY of a collection geometry
#
# ST_SIMPLIFY of a collection reserved less space than the WKB header it
# writes, so the element count overran a small buffer. CONCAT_WS
# builds its separator in a ten byte stack buffer and COLUMN_GET builds its
# column name in an eleven byte stack buffer. Each query below crashed
# before the fix.
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('MULTILINESTRING((0 0,5 5,0 10),(0 0,-5 5,0 10))'), 5), 7, 5) IS NOT NULL AS ok;
ok
1
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,10 0,15 5,10 10,0 10,-5 5,0 0))'), 0.0001), 7, 5) IS NOT NULL AS ok;
ok
1
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('MULTIPOLYGON(((0 0,10 0,15 5,10 10,0 10,-5 5,0 0)))'), 0.0001), 7, 5) IS NOT NULL AS ok;
ok
1
SELECT COLUMN_GET(COLUMN_CREATE('a', 1), ST_SIMPLIFY(ST_GEOMFROMTEXT('GEOMETRYCOLLECTION(MULTILINESTRING((0 0,5 5,0 10),(0 0,-5 5,0 10)))'), 5) AS CHAR) IS NULL AS ok;
ok
1
# Clean up
DROP TABLE gis_geometrycollection;
14 changes: 14 additions & 0 deletions mysql-test/main/spatial_utility_function_simplify.test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -497,5 +497,19 @@ SELECT ST_ASTEXT(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,0 10,10 10,10 0,0 0,0
--error ER_BAD_FIELD_ERROR
SELECT ST_ASTEXT(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,0 10,10 10,10 0,0 0,0 0,0 0,0 0))'), a));

--echo #
--echo # MDEV-39911 Crash in ST_SIMPLIFY of a collection geometry
--echo #

--echo # ST_SIMPLIFY of a collection reserved less space than the WKB header it
--echo # writes, so the element count overran a small buffer. CONCAT_WS
--echo # builds its separator in a ten byte stack buffer and COLUMN_GET builds its
--echo # column name in an eleven byte stack buffer. Each query below crashed
--echo # before the fix.
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('MULTILINESTRING((0 0,5 5,0 10),(0 0,-5 5,0 10))'), 5), 7, 5) IS NOT NULL AS ok;
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('POLYGON((0 0,10 0,15 5,10 10,0 10,-5 5,0 0))'), 0.0001), 7, 5) IS NOT NULL AS ok;
SELECT CONCAT_WS(ST_SIMPLIFY(ST_GEOMFROMTEXT('MULTIPOLYGON(((0 0,10 0,15 5,10 10,0 10,-5 5,0 0)))'), 0.0001), 7, 5) IS NOT NULL AS ok;
SELECT COLUMN_GET(COLUMN_CREATE('a', 1), ST_SIMPLIFY(ST_GEOMFROMTEXT('GEOMETRYCOLLECTION(MULTILINESTRING((0 0,5 5,0 10),(0 0,-5 5,0 10)))'), 5) AS CHAR) IS NULL AS ok;

--echo # Clean up
DROP TABLE gis_geometrycollection;
16 changes: 12 additions & 4 deletions sql/spatial.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2387,7 +2387,9 @@ int Gis_polygon::simplify(String *result, double max_distance) const
return 1;

result->length(0);
result->reserve(SRID_SIZE + WKB_HEADER_SIZE);
// Reserve room for the SRID, byte order, type, and ring count.
if (result->reserve(SRID_SIZE + WKB_HEADER_SIZE + sizeof(uint32)))
return 1;
result->q_append(SRID_PLACEHOLDER);
result->q_append((char) wkb_ndr);
result->q_append((uint32) wkb_polygon);
Expand Down Expand Up @@ -3492,7 +3494,9 @@ int Gis_multi_line_string::simplify(String *result, double max_distance) const
return 1;

result->length(0);
result->reserve(SRID_SIZE + WKB_HEADER_SIZE);
// Reserve room for the SRID, byte order, type, and line count.
if (result->reserve(SRID_SIZE + WKB_HEADER_SIZE + sizeof(uint32)))
return 1;
result->q_append(SRID_PLACEHOLDER);
result->q_append((char) wkb_ndr);
result->q_append((uint32) wkb_multilinestring);
Expand Down Expand Up @@ -4099,7 +4103,9 @@ int Gis_multi_polygon::simplify(String *result, double max_distance) const
return 1;

result->length(0);
result->reserve(SRID_SIZE + WKB_HEADER_SIZE);
// Reserve room for the SRID, byte order, type, and polygon count.
if (result->reserve(SRID_SIZE + WKB_HEADER_SIZE + sizeof(uint32)))
return 1;
result->q_append(SRID_PLACEHOLDER);
result->q_append((char) wkb_ndr);
result->q_append((uint32) wkb_multipolygon);
Expand Down Expand Up @@ -4694,7 +4700,9 @@ int Gis_geometry_collection::simplify(String *result,
return 1;

result->length(0);
result->reserve(SRID_SIZE + BYTE_ORDER_SIZE + WKB_HEADER_SIZE);
// Reserve room for the SRID, byte order, type, and geometry count.
if (result->reserve(SRID_SIZE + WKB_HEADER_SIZE + sizeof(uint32)))
return 1;
result->q_append(SRID_PLACEHOLDER);
result->q_append((char) wkb_ndr);
result->q_append((uint32) wkb_geometrycollection);
Expand Down
Loading