From ae3d4bfc0e5dc8c88ce93496bf01018ea2b298bf Mon Sep 17 00:00:00 2001
From: unknown <holyfoot/hf@mysql.com/hfmain.(none)>
Date: Wed, 3 Oct 2007 13:35:35 +0500
Subject: [PATCH 1/3] Bug #30955 geomfromtext() crasher.

end-of-line check missed in Gis_read_stream::get_next_word,
what can lead to crashes (expecially with NULL strings).

End-of-line check added


sql/gstream.cc:
  Bug #30955 geomfromtext() crasher
mysql-test/r/gis.result:
  Bug #30955 geomfromtext() crasher.

  test result
mysql-test/t/gis.test:
  Bug #30955 geomfromtext() crasher.

  test case
---
 mysql-test/r/gis.result | 6 ++++++
 mysql-test/t/gis.test   | 8 ++++++++
 sql/gstream.cc          | 2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result
index 643a3d6b434..55f70e59fcf 100644
--- a/mysql-test/r/gis.result
+++ b/mysql-test/r/gis.result
@@ -724,4 +724,10 @@ SELECT * FROM t1;
 a
 NULL
 DROP TABLE t1;
+CREATE TABLE `t1` ( `col9` set('a'), `col89` date);
+INSERT INTO `t1` VALUES ('','0000-00-00');
+select geomfromtext(col9,col89) as a from t1;
+a
+NULL
+DROP TABLE t1;
 End of 4.1 tests
diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test
index 7182e040d46..cf5c3b31bc1 100644
--- a/mysql-test/t/gis.test
+++ b/mysql-test/t/gis.test
@@ -419,4 +419,12 @@ INSERT INTO t1 VALUES (NULL);
 SELECT * FROM t1;
 DROP TABLE t1;
 
+#
+# Bug #30955 geomfromtext() crasher
+#
+CREATE TABLE `t1` ( `col9` set('a'), `col89` date);
+INSERT INTO `t1` VALUES ('','0000-00-00');
+select geomfromtext(col9,col89) as a from t1;
+DROP TABLE t1;
+
 --echo End of 4.1 tests
diff --git a/sql/gstream.cc b/sql/gstream.cc
index f7d11d76b0c..f986d9dc7f3 100644
--- a/sql/gstream.cc
+++ b/sql/gstream.cc
@@ -45,7 +45,7 @@ bool Gis_read_stream::get_next_word(LEX_STRING *res)
   skip_space();
   res->str= (char*) m_cur;
   /* The following will also test for \0 */
-  if (!my_isvar_start(&my_charset_bin, *m_cur))
+  if ((m_cur >= m_limit) || !my_isvar_start(&my_charset_bin, *m_cur))
     return 1;
 
   /*

From 6d54b5771bf3cce3e5a5e8ca295219fdbae80c00 Mon Sep 17 00:00:00 2001
From: unknown <holyfoot/hf@mysql.com/hfmain.(none)>
Date: Fri, 5 Oct 2007 15:40:32 +0500
Subject: [PATCH 2/3] Bug #30286 spatial index cause corruption and server
 crash!

As the result of DOUBLE claculations can be bigger
than DBL_MAX constant we use in code, we shouldn't use this constatn
as a biggest possible value.
Particularly the rtree_pick_key function set 'min_area= DBL_MAX' relying
that any rtree_area_increase result will be less so we return valid
key. Though in rtree_area_increase function we calculate the area
of the rectangle, so the result can be 'inf' if the rectangle is
huge enough, which is bigger than DBL_MAX.

Code of the rtree_pick_key modified so we always return a valid key.


myisam/rt_index.c:
  Bug #30286 spatial index cause corruption and server crash!

  always set the best_key with the first key we get, so we always return
  somthing valid.
myisam/rt_mbr.c:
  Bug #30286 spatial index cause corruption and server crash!

  function comment extended
mysql-test/r/gis-rtree.result:
  Bug #30286 spatial index cause corruption and server crash!
  test result
mysql-test/t/gis-rtree.test:
  Bug #30286 spatial index cause corruption and server crash!
  test case
---
 myisam/rt_index.c             | 18 +++++-------------
 myisam/rt_mbr.c               |  5 ++++-
 mysql-test/r/gis-rtree.result | 31 ++++++++++++++++++++++++++++++
 mysql-test/t/gis-rtree.test   | 36 +++++++++++++++++++++++++++++++++++
 4 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/myisam/rt_index.c b/myisam/rt_index.c
index 238432006a4..f19ecacef63 100644
--- a/myisam/rt_index.c
+++ b/myisam/rt_index.c
@@ -485,15 +485,16 @@ static uchar *rtree_pick_key(MI_INFO *info, MI_KEYDEF *keyinfo, uchar *key,
 			     uint key_length, uchar *page_buf, uint nod_flag)
 {
   double increase;
-  double best_incr = DBL_MAX;
+  double best_incr;
   double area;
   double best_area;
-  uchar *best_key;
+  uchar *best_key= NULL;
   uchar *k = rt_PAGE_FIRST_KEY(page_buf, nod_flag);
   uchar *last = rt_PAGE_END(page_buf);
 
   LINT_INIT(best_area);
   LINT_INIT(best_key);
+  LINT_INIT(best_incr);
 
   for (; k < last; k = rt_PAGE_NEXT_KEY(k, key_length, nod_flag))
   {
@@ -502,22 +503,13 @@ static uchar *rtree_pick_key(MI_INFO *info, MI_KEYDEF *keyinfo, uchar *key,
                                         &area)) == -1.0)
       return NULL;
     /* The following should be safe, even if we compare doubles */
-    if (increase < best_incr)
+    if (!best_key || increase < best_incr ||
+        ((increase == best_incr) && (area < best_area)))
     {
       best_key = k;
       best_area = area;
       best_incr = increase;
     }
-    else
-    {
-      /* The following should be safe, even if we compare doubles */
-      if ((increase == best_incr) && (area < best_area))
-      {
-        best_key = k;
-        best_area = area;
-        best_incr = increase;
-      }
-    }
   }
   return best_key;
 }
diff --git a/myisam/rt_mbr.c b/myisam/rt_mbr.c
index 897862c1c9a..31eaac0ae70 100644
--- a/myisam/rt_mbr.c
+++ b/myisam/rt_mbr.c
@@ -525,7 +525,10 @@ double rtree_overlapping_area(HA_KEYSEG *keyseg, uchar* a, uchar* b,
 }
 
 /*
-Calculates MBR_AREA(a+b) - MBR_AREA(a)
+  Calculates MBR_AREA(a+b) - MBR_AREA(a)
+  Note: when 'a' and 'b' objects are far from each other,
+  the area increase can be really big, so this function
+  can return 'inf' as a result.
 */
 double rtree_area_increase(HA_KEYSEG *keyseg, uchar* a, uchar* b, 
                           uint key_length, double *ab_area)
diff --git a/mysql-test/r/gis-rtree.result b/mysql-test/r/gis-rtree.result
index 762dda4e501..3df316acd77 100644
--- a/mysql-test/r/gis-rtree.result
+++ b/mysql-test/r/gis-rtree.result
@@ -1420,3 +1420,34 @@ CHECK TABLE t1 EXTENDED;
 Table	Op	Msg_type	Msg_text
 test.t1	check	status	OK
 DROP TABLE t1;
+create table t1 (a geometry not null, spatial index(a));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 131072)));
+insert into t1 values (PointFromWKB(POINT(9.1248812352444e+192, 2.9740338169556e+284)));
+insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, -0)));
+insert into t1 values (PointFromWKB(POINT(1.49166814624e-154, 2.0880974297595e-53)));
+insert into t1 values (PointFromWKB(POINT(4.0917382598702e+149, 1.2024538023802e+111)));
+insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 2.9993936277913e-241)));
+insert into t1 values (PointFromWKB(POINT(2.5243548967072e-29, 1.2024538023802e+111)));
+insert into t1 values (PointFromWKB(POINT(0, 6.9835074892995e-251)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 3.1050361846014e+231)));
+insert into t1 values (PointFromWKB(POINT(2.8728483499323e-188, 2.4600631144627e+260)));
+insert into t1 values (PointFromWKB(POINT(3.0517578125e-05, 2.0349165139404e+236)));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 1.1818212630766e-125)));
+insert into t1 values (PointFromWKB(POINT(2.481040258324e-265, 5.7766220027675e-275)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 2.5243548967072e-29)));
+insert into t1 values (PointFromWKB(POINT(5.7766220027675e-275, 9.9464647281957e+86)));
+insert into t1 values (PointFromWKB(POINT(2.2181357552967e+130, 3.7857669957337e-270)));
+insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.6893488147419e+19)));
+insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.7537584144024e+255)));
+insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 1.8033161362863e-130)));
+insert into t1 values (PointFromWKB(POINT(0, 5.8774717541114e-39)));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 2.2761049594727e-159)));
+insert into t1 values (PointFromWKB(POINT(6.243497100632e+144, 3.7857669957337e-270)));
+insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 2.6355494858076e-82)));
+insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 3.8518598887745e-34)));
+insert into t1 values (PointFromWKB(POINT(4.6566128730774e-10, 2.0880974297595e-53)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 1.8827498946116e-183)));
+insert into t1 values (PointFromWKB(POINT(1.8033161362863e-130, 9.1248812352444e+192)));
+insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, 2.2761049594727e-159)));
+insert into t1 values (PointFromWKB(POINT(1.94906280228e+289, 1.2338789709327e-178)));
+drop table t1;
diff --git a/mysql-test/t/gis-rtree.test b/mysql-test/t/gis-rtree.test
index f28a718cc11..b7d0f797e37 100644
--- a/mysql-test/t/gis-rtree.test
+++ b/mysql-test/t/gis-rtree.test
@@ -798,4 +798,40 @@ UPDATE t1 set spatial_point=GeomFromText('POINT(41 46)') where  c1 like 'f%';
 CHECK TABLE t1 EXTENDED;
 DROP TABLE t1;
 
+#
+# Bug #30286 spatial index cause corruption and server crash!
+#
+
+create table t1 (a geometry not null, spatial index(a));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 131072)));
+insert into t1 values (PointFromWKB(POINT(9.1248812352444e+192, 2.9740338169556e+284)));
+insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, -0)));
+insert into t1 values (PointFromWKB(POINT(1.49166814624e-154, 2.0880974297595e-53)));
+insert into t1 values (PointFromWKB(POINT(4.0917382598702e+149, 1.2024538023802e+111)));
+insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 2.9993936277913e-241)));
+insert into t1 values (PointFromWKB(POINT(2.5243548967072e-29, 1.2024538023802e+111)));
+insert into t1 values (PointFromWKB(POINT(0, 6.9835074892995e-251)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 3.1050361846014e+231)));
+insert into t1 values (PointFromWKB(POINT(2.8728483499323e-188, 2.4600631144627e+260)));
+insert into t1 values (PointFromWKB(POINT(3.0517578125e-05, 2.0349165139404e+236)));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 1.1818212630766e-125)));
+insert into t1 values (PointFromWKB(POINT(2.481040258324e-265, 5.7766220027675e-275)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 2.5243548967072e-29)));
+insert into t1 values (PointFromWKB(POINT(5.7766220027675e-275, 9.9464647281957e+86)));
+insert into t1 values (PointFromWKB(POINT(2.2181357552967e+130, 3.7857669957337e-270)));
+insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.6893488147419e+19)));
+insert into t1 values (PointFromWKB(POINT(4.5767114681874e-246, 3.7537584144024e+255)));
+insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 1.8033161362863e-130)));
+insert into t1 values (PointFromWKB(POINT(0, 5.8774717541114e-39)));
+insert into t1 values (PointFromWKB(POINT(1.1517219314031e+164, 2.2761049594727e-159)));
+insert into t1 values (PointFromWKB(POINT(6.243497100632e+144, 3.7857669957337e-270)));
+insert into t1 values (PointFromWKB(POINT(3.7857669957337e-270, 2.6355494858076e-82)));
+insert into t1 values (PointFromWKB(POINT(2.0349165139404e+236, 3.8518598887745e-34)));
+insert into t1 values (PointFromWKB(POINT(4.6566128730774e-10, 2.0880974297595e-53)));
+insert into t1 values (PointFromWKB(POINT(2.0880974297595e-53, 1.8827498946116e-183)));
+insert into t1 values (PointFromWKB(POINT(1.8033161362863e-130, 9.1248812352444e+192)));
+insert into t1 values (PointFromWKB(POINT(4.7783097267365e-299, 2.2761049594727e-159)));
+insert into t1 values (PointFromWKB(POINT(1.94906280228e+289, 1.2338789709327e-178)));
+drop table t1;
+
 # End of 4.1 tests

From cd9d89a75d4cd5e9408cd34e6229910acf23cdc1 Mon Sep 17 00:00:00 2001
From: unknown <tnurnberg@sin.intern.azundris.com>
Date: Thu, 18 Oct 2007 10:47:54 +0200
Subject: [PATCH 3/3] Bug#31588: buffer overrun when setting variables

Buffer used when setting variables was not dimensioned to accomodate
trailing '\0'. An overflow by one character was therefore possible.
CS corrects limits to prevent such overflows.


mysql-test/r/variables.result:
  Try to overflow buffer used for setting system variables.
  Unpatched server should throw a valgrind warning here.
  Actual value and error message irrelevant, only length counts.
mysql-test/t/variables.test:
  Try to overflow buffer used for setting system variables.
sql/set_var.cc:
  Adjust maximum number of characters we can store in 'buff' by one
  as strmake() will write a terminating '\0'.
---
 mysql-test/r/variables.result | 3 +++
 mysql-test/t/variables.test   | 9 ++++++++-
 sql/set_var.cc                | 2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/variables.result b/mysql-test/r/variables.result
index 14f1eb7d306..a5b6c308969 100644
--- a/mysql-test/r/variables.result
+++ b/mysql-test/r/variables.result
@@ -561,3 +561,6 @@ set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 @@query_prealloc_size = @test
 1
+set global sql_mode=repeat('a',80);
+ERROR 42000: Variable 'sql_mode' can't be set to the value of 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+End of 4.1 tests
diff --git a/mysql-test/t/variables.test b/mysql-test/t/variables.test
index 808dc0973d4..371cd6bc9b1 100644
--- a/mysql-test/t/variables.test
+++ b/mysql-test/t/variables.test
@@ -447,4 +447,11 @@ set @test = @@query_prealloc_size;
 set @@query_prealloc_size = @test;
 select @@query_prealloc_size = @test;
 
-# End of 4.1 tests
+#
+# Bug#31588 buffer overrun when setting variables
+#
+# Buffer-size Off By One. Should throw valgrind-warning without fix #31588.
+--error 1231
+set global sql_mode=repeat('a',80);
+
+--echo End of 4.1 tests
diff --git a/sql/set_var.cc b/sql/set_var.cc
index 520ee5c9f70..1d18eba30a8 100644
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
 					    &not_used));
     if (error_len)
     {
-      strmake(buff, error, min(sizeof(buff), error_len));
+      strmake(buff, error, min(sizeof(buff) - 1, error_len));
       goto err;
     }
   }