Bug#25062396 - ASSERTION `CUR_SHAPE != GCALC_FUNCTION:: SHAPE_POINT' …

…FAILED. Invalid input parameters could lead to wrong result buffer. Which can cause an assert due to traversing to uninitialized pointers and abrupt exit or cyclic processing of the result buffer. Fix included handling of below scenarios. 1. Uninitialized structure elements. 2. Handling of NULL pointers. 3. Breakout from cyclic loops. 4. Wrong result object (Point with more than one coordinates). Change-Id: I9badfa248889bc4e2f460b77d6a4be5dd72a962a
mysql · Oct 16, 2017 · b5323d1 · b5323d1
1 parent 7577852
commit b5323d1
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/sql/gcalc_tools.cc b/sql/gcalc_tools.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -447,6 +447,11 @@ int Gcalc_result_receiver::complete_shape()
   }
   else
   {
+    if (cur_shape == Gcalc_function::shape_point)
+    {
+      DBUG_RETURN(1);
+    }
+
     DBUG_ASSERT(cur_shape != Gcalc_function::shape_point);
     if (cur_shape == Gcalc_function::shape_hole ||
         cur_shape == Gcalc_function::shape_polygon)
@@ -1173,8 +1178,12 @@ int Gcalc_operation_reducer::get_polygon_result(res_point *cur,
 {
   DBUG_ENTER("Gcalc_operation_reducer::get_polygon_result");
   res_point *glue= cur->glue;
-  glue->up->down= NULL;
-  free_result(glue);
+  if(glue)
+  {
+    if(glue->up)
+      glue->up->down= NULL;
+    free_result(glue);
+  }
   DBUG_RETURN(get_result_thread(cur, storage, 1) ||
               storage->complete_shape());
 }
@@ -1261,10 +1270,21 @@ int Gcalc_operation_reducer::get_result(Gcalc_result_receiver *storage)
   DBUG_ENTER("Gcalc_operation_reducer::get_result");
   Dynamic_array<Gcalc_result_receiver::chunk_info> chunks;
   bool polygons_found= false;
+  int counter= 0;
 
   *m_res_hook= NULL;
   while (m_result)
   {
+    /**
+      Handle cyclic graph scenario. This can occur due to invalid input
+      geometry. Ideally the comparison should be with length of the string.
+      We have choosen an arbitory number suitable for practical usecase's
+      due to the complexity involved in checking with the length.
+    */
+    counter++;
+    if (counter > 10000)
+      DBUG_RETURN(1);
+
     Gcalc_function::shape_type shape;
     Gcalc_result_receiver::chunk_info chunk;
 

diff --git a/sql/gcalc_tools.h b/sql/gcalc_tools.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -353,6 +353,10 @@ class Gcalc_operation_reducer : public Gcalc_dyn_list
                            bool intersection_point)
   {
     res_point *result= (res_point *) new_item();
+    result->up= result->down= result->glue= NULL;
+    result->set_outer_poly(NULL);
+    result->pi= NULL;
+    result->first_poly_node= NULL;
     *m_res_hook= result;
     result->prev_hook= m_res_hook;
     m_res_hook= &result->next;