Bug #51875 | crash when loading data into geometry function polyfromwkb | ||
---|---|---|---|
Submitted: | 9 Mar 2010 16:19 | Modified: | 14 Apr 2011 13:15 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: GIS | Severity: | S1 (Critical) |
Version: | 5.0.90,5.1.44 | OS: | Any |
Assigned to: | Ramil Kalimullin | CPU Architecture: | Any |
Tags: | crash, polyfromwkb |
[9 Mar 2010 16:19]
Shane Bester
[9 Mar 2010 16:21]
MySQL Verification Team
data.bin
Attachment: data.bin (application/octet-stream, text), 174.27 KiB.
[9 Mar 2010 16:29]
Valeriy Kravchuk
I do not see a crash with recent 5.1.45 from bzr on Mac OS X: 77-52-24-143:5.1 openxs$ bin/mysql -uroot test Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 9 Server version: 5.1.45-debug Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> drop table if exists t1; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> create table t1(a int)engine=myisam; Query OK, 0 rows affected (0.07 sec) mysql> load data infile '/Users/openxs/Downloads/data.bin' into table `t1` -> fields terminated by 'E' -> (@`var1`,@`var1`) -> set `a`=polyfromwkb(@`var1`); Query OK, 242 rows affected, 73 warnings (0.06 sec) Records: 242 Deleted: 0 Skipped: 0 Warnings: 71
[9 Mar 2010 16:57]
MySQL Verification Team
100309 13:31:23 [Note] Plugin 'FEDERATED' is disabled. 100309 13:31:24 [Note] Event Scheduler: Loaded 0 events 100309 13:31:24 [Note] C:\DBS\5.1\bin\mysqld: ready for connections. Version: '5.1.46-Win X64-debug-log' socket: '' port: 3306 Source distribution 100309 13:33:26 - mysqld got exception 0xc0000005 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=8384512 read_buffer_size=131072 max_used_connections=1 max_threads=151 threads_connected=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338112 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. thd: 0xc71ee8 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... 00000001403F7595 mysqld.exe!get_point()[spatial.cc:126] 00000001403F8482 mysqld.exe!Gis_line_string::is_closed()[spatial.cc:632] 00000001403F8BC3 mysqld.exe!Gis_polygon::init_from_wkb()[spatial.cc:762] 00000001403F70A0 mysqld.exe!Geometry::create_from_wkb()[spatial.cc:257] 00000001403656B3 mysqld.exe!Item_func_geometry_from_wkb::val_str()[item_geofunc.cc:107] 00000001401EF549 mysqld.exe!Item::save_in_field()[item.cc:5122] 000000014017A1AA mysqld.exe!fill_record()[sql_base.cc:8170] 0000000140179EFC mysqld.exe!fill_record_n_invoke_before_triggers()[sql_base.cc:8215] 00000001403A8576 mysqld.exe!read_sep_field()[sql_load.cc:999] 00000001403A645D mysqld.exe!mysql_load()[sql_load.cc:439] 000000014020A899 mysqld.exe!mysql_execute_command()[sql_parse.cc:3459] 0000000140213735 mysqld.exe!mysql_parse()[sql_parse.cc:5975] 000000014020423B mysqld.exe!dispatch_command()[sql_parse.cc:1235] 00000001402034EA mysqld.exe!do_command()[sql_parse.cc:874] 00000001400C7235 mysqld.exe!handle_one_connection()[sql_connect.cc:1127] 0000000140604D45 mysqld.exe!pthread_start()[my_winthread.c:85] 00000001405DAFB5 mysqld.exe!_callthreadstart()[thread.c:295] 00000001405DAF87 mysqld.exe!_threadstart()[thread.c:277] 0000000077A7BE3D kernel32.dll!BaseThreadInitThunk() 0000000077BB6A51 ntdll.dll!RtlUserThreadStart() Trying to get some variables. Some pointers may be invalid and cause the dump to abort... thd->query at 0000000000CF1E58=load data infile 'c:/dbs/5.1/data.bin' into table `t1` fields terminated by 'E' (@`var1`,@`var1`) set `a`=polyfromwkb(@`var1`) thd->thread_id=2 thd->killed=NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash.
[30 Aug 2010 7:52]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/117094 3494 Ramil Kalimullin 2010-08-30 Fix for bug #51875: crash when loading data into geometry function polyfromwkb Check for number of line strings in the incoming polygon data (wkb) and for number of points in the incoming linestring wkb. @ mysql-test/r/gis.result Fix for bug #51875: crash when loading data into geometry function polyfromwkb - test result. @ mysql-test/t/gis.test Fix for bug #51875: crash when loading data into geometry function polyfromwkb - test case. @ sql/spatial.cc Fix for bug #51875: crash when loading data into geometry function polyfromwkb - creating a polygon from wkb check for number of line strings, - creating a linestring from wkb check for number of line points.
[8 Sep 2010 19:05]
Paul DuBois
Noted in 5.1.51, 5.5.7 changelogs. The PolyFromWKB() function could crash the server when improper WKB data was passed to the function.
[28 Sep 2010 8:48]
Bugs System
Pushed into mysql-5.1 5.1.52 (revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (version source revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (merge vers: 5.1.52) (pib:21)
[28 Sep 2010 15:40]
Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@sun.com-20100928153607-tdsxkdm5cmuym5sq) (version source revid:alik@sun.com-20100928153508-0saa6v93dinqx1u7) (merge vers: 5.6.1-m4) (pib:21)
[28 Sep 2010 15:42]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100928153646-pqp8o1a92mxtuj3h) (version source revid:alik@sun.com-20100928153532-lr3gtvnyp2en4y75) (pib:21)
[28 Sep 2010 15:44]
Bugs System
Pushed into mysql-5.5 5.5.7-rc (revid:alik@sun.com-20100928153459-4nudf4zgzlou4s7q) (version source revid:alik@sun.com-20100928153459-4nudf4zgzlou4s7q) (merge vers: 5.5.7-rc) (pib:21)
[28 Sep 2010 19:29]
Paul DuBois
Noted in 5.6.1 changelog.
[14 Oct 2010 8:39]
Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:54]
Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:11]
Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 14:17]
Jon Stephens
Already documented in the 5.1.51 changelog; no additional changelog entries required. Set back to Closed state.
[15 Oct 2010 5:21]
MySQL Verification Team
still crashes 5.0.91: Invalid read of size 8 at 0x6B5A8B: Gis_polygon::init_from_wkb (spatial.cc:123) by 0x6B20CD: Geometry::create_from_wkb (spatial.cc:254) by 0x55C519: Item_func_geometry_from_wkb::val_str (item_geofunc.cc:97) by 0x4EF9C1: Item::save_in_field (item.cc:4735) by 0x5C8A79: fill_record_n_invoke_before_triggers (sql_base.cc:5830) by 0x67C5D8: mysql_load (sql_load.cc:835) by 0x5A8EA6: mysql_execute_command (sql_parse.cc:4139) by 0x5AB9A6: mysql_parse (sql_parse.cc:6470) by 0x5ACBCA: dispatch_command (sql_parse.cc:1966) by 0x5AE2A8: handle_one_connection (sql_parse.cc:1647) by 0x30E1807760: start_thread (pthread_create.c:301) Address 0x108a405a1 is not stack'd, malloc'd or (recently) free'd
[3 Nov 2010 19:51]
Paul DuBois
CVE-2010-3840
[14 Apr 2011 13:15]
Paul DuBois
Noted in 5.0.93 changelog.