From 6a113b215abde05ffe602111f54c2aef8e78bbd1 Mon Sep 17 00:00:00 2001
From: Ramil Kalimullin <ramil@mysql.com>
Date: Mon, 30 Aug 2010 11:51:46 +0400
Subject: [PATCH] Fix for bug #51875: crash when loading data into geometry
 function polyfromwkb

Check for number of line strings in the incoming polygon data (wkb) and
for number of points in the incoming linestring wkb.



mysql-test/r/gis.result:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - test result.
mysql-test/t/gis.test:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - test case.
sql/spatial.cc:
  Fix for bug #51875: crash when loading data into geometry function polyfromwkb
    - creating a polygon from wkb check for number of line strings,
    - creating a linestring from wkb check for number of line points.
---
 mysql-test/r/gis.result |  7 +++++++
 mysql-test/t/gis.test   | 10 ++++++++++
 sql/spatial.cc          |  6 ++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result
index 3e28227d542..d39afa6f315 100644
--- a/mysql-test/r/gis.result
+++ b/mysql-test/r/gis.result
@@ -1057,4 +1057,11 @@ NULL
 SELECT Polygon(12345123,'');
 Polygon(12345123,'')
 NULL
+#
+# BUG#51875: crash when loading data into geometry function polyfromwkb
+#
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
 End of 5.1 tests
diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test
index bc0695aaa93..236b31efb79 100644
--- a/mysql-test/t/gis.test
+++ b/mysql-test/t/gis.test
@@ -722,4 +722,14 @@ SELECT Polygon(123451,'');
 SELECT Polygon(1234512,'');
 SELECT Polygon(12345123,'');
 
+
+--echo #
+--echo # BUG#51875: crash when loading data into geometry function polyfromwkb
+--echo #
+SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
+SET @a=POLYFROMWKB(@a);
+
+
 --echo End of 5.1 tests
diff --git a/sql/spatial.cc b/sql/spatial.cc
index 2305a8eb97d..8b869a5b1ca 100644
--- a/sql/spatial.cc
+++ b/sql/spatial.cc
@@ -528,7 +528,7 @@ uint Gis_line_string::init_from_wkb(const char *wkb, uint len,
   n_points= wkb_get_uint(wkb, bo);
   proper_length= 4 + n_points * POINT_DATA_SIZE;
 
-  if (len < proper_length || res->reserve(proper_length))
+  if (!n_points || len < proper_length || res->reserve(proper_length))
     return 0;
 
   res->q_append(n_points);
@@ -746,7 +746,9 @@ uint Gis_polygon::init_from_wkb(const char *wkb, uint len, wkbByteOrder bo,
   if (len < 4)
     return 0;
 
-  n_linear_rings= wkb_get_uint(wkb, bo);
+  if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
+    return 0;
+
   if (res->reserve(4, 512))
     return 0;
   wkb+= 4;