Skip to content

MDEV-39911: Crash in ST_SIMPLIFY of a collection geometry#5195

Open
DaveGosselin-MariaDB wants to merge 1 commit into
12.3from
12.3-mdev-39911-convex-simplify-crash
Open

MDEV-39911: Crash in ST_SIMPLIFY of a collection geometry#5195
DaveGosselin-MariaDB wants to merge 1 commit into
12.3from
12.3-mdev-39911-convex-simplify-crash

Conversation

@DaveGosselin-MariaDB

@DaveGosselin-MariaDB DaveGosselin-MariaDB commented Jun 8, 2026

Copy link
Copy Markdown
Member

ST_SIMPLIFY of a multilinestring, polygon, multipolygon, or geometry collection reserved space for the result header but omitted the four byte element count that it then appends. This resulted in a buffer overrun.

Reserve the full header size, including the count, in each of the four collection simplify functions, the same fix applied for MDEV-35062 and MDEV-36042.

@DaveGosselin-MariaDB
MDEV-39911: Crash in ST_SIMPLIFY of a collection geometry
4560fd0 
ST_SIMPLIFY of a multilinestring, polygon, multipolygon, or geometry
collection reserved space for the result header but omitted the four
byte element count that it then appends.  This resulted in a buffer
overrun.

Reserve the full header size, including the count, in each of the four
collection simplify functions, the same fix applied for MDEV-35062 and
MDEV-36042.
@DaveGosselin-MariaDB DaveGosselin-MariaDB self-assigned this Jun 8, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 8, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a crash (MDEV-39911) in the ST_SIMPLIFY function when processing collection geometries. The crash was caused by insufficient buffer reservation in the simplify methods of Gis_polygon, Gis_multi_line_string, Gis_multi_polygon, and Gis_geometry_collection, which failed to account for the element count in the WKB header. The fix ensures that an additional sizeof(uint32) is reserved and adds error handling for the reservation process. Relevant test cases have also been added to prevent regression. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@DaveGosselin-MariaDB DaveGosselin-MariaDB requested review from abarkov and holyfoot and removed request for abarkov June 8, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@holyfoot holyfoot Awaiting requested review from holyfoot

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@DaveGosselin-MariaDB DaveGosselin-MariaDB

Labels

MariaDB Corporation

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DaveGosselin-MariaDB