Bug #38990 Arbitrary data input plus GIS functions causes mysql server crash
Submitted: 24 Aug 2008 9:24 Modified: 28 May 2009 17:30
Reporter: Norbert Tretkowski Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S2 (Serious)
Version:5.0.67, 4.1, 5.0, 5.1, 6.0 bzr OS:Any (Debian x86_64, x32)
Assigned to: Alexey Botchkov CPU Architecture:Any

[24 Aug 2008 9:24] Norbert Tretkowski 
Description:
This is a forwarded bug from the Debian bug tracking system:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477072

Attached two files crash mysqld. I was able to reproduce this crash with the binaries from mysql-5.0.67-linux-x86_64-glibc23.tar.gz.

It seems to happen only on x86_64 systems, not on i386.

How to repeat:
create database test;
use test;
source country.sql;
source mysql-crash.sql
[24 Aug 2008 9:25] Norbert Tretkowski 
country.sql

Attachment: country.sql (text/x-sql), 24.91 KiB.
[24 Aug 2008 9:25] Norbert Tretkowski 
mysql-crash.sql

Attachment: mysql-crash.sql (text/x-sql), 437 bytes.
[24 Aug 2008 17:33] Sveta Smirnova 
Thank you for the report.

Verified as described. 32-bit Linux affected as well.
[25 Aug 2008 7:42] MySQL Verification Team 
stack trace of crash

Attachment: bug38990_5.0.66a_stacktrace.txt (text/plain), 4.85 KiB.
[13 Feb 2009 12:12] MySQL Verification Team 
5.1.31 still crashes.

mysqld-debug.exe!split_rtree_node()[rt_split.c:207]
mysqld-debug.exe!rtree_split_page()[rt_split.c:301]
mysqld-debug.exe!rtree_add_key()[rt_key.c:65]
mysqld-debug.exe!rtree_insert_req()[rt_index.c:590]
mysqld-debug.exe!rtree_insert_req()[rt_index.c:555]
mysqld-debug.exe!rtree_insert_req()[rt_index.c:555]
mysqld-debug.exe!rtree_insert_level()[rt_index.c:638]
mysqld-debug.exe!rtree_insert()[rt_index.c:714]
mysqld-debug.exe!mi_write()[mi_write.c:126]
mysqld-debug.exe!ha_myisam::write_row()[ha_myisam.cc:742]
mysqld-debug.exe!handler::ha_write_row()[handler.cc:4570]
mysqld-debug.exe!write_record()[sql_insert.cc:1567]
mysqld-debug.exe!select_insert::send_data()[sql_insert.cc:3090]
mysqld-debug.exe!end_send()[sql_select.cc:11935]
mysqld-debug.exe!evaluate_join_record()[sql_select.cc:11195]
mysqld-debug.exe!sub_select()[sql_select.cc:11086]
mysqld-debug.exe!do_select()[sql_select.cc:10836]
mysqld-debug.exe!JOIN::exec()[sql_select.cc:2195]
mysqld-debug.exe!mysql_select()[sql_select.cc:2376]
mysqld-debug.exe!handle_select()[sql_select.cc:269]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:3142]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5813]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1218]
mysqld-debug.exe!do_command()[sql_parse.cc:857]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1115]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:295]
mysqld-debug.exe!_threadstart()[thread.c:277]
kernel32.dll!BaseThreadStart()
[20 Feb 2009 15:28] Domas Mituzas 
Target version 6.0 is not acceptable - this is straightforward DoS possibility.

Also, it is quite common to pass WKB data to database engines, and this mishandling of WKB is serious flaw in all GIS support.
[11 Mar 2009 5:50] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/68839

2709 Alexey Botchkov	2009-03-11
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
         the Point() and Linestring() functions create WKB representation of an
         object instead of an real geometry object.
         That produced bugs when these were inserted into tables.
      
         GIS tests fixed accordingly.
      
      per-file messages:
        mysql-test/r/gis-rtree.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test result
        mysql-test/r/gis.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test result
        mysql-test/t/gis-rtree.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test fixed - GeomFromWKB invocations removed
        mysql-test/t/gis.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test fixed - AsWKB invocations added
        sql/item_geofunc.cc
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
           Point() and similar functions to create a proper object
[11 Mar 2009 6:17] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/68842

2709 Alexey Botchkov	2009-03-10
      Bug #38990 Arbitrary data input plus GIS functions causes mysql server crash
         the Point() and Linestring() functions create WKB representation of an
         object instead of an real geometry object.
         That produced bugs when these were inserted into tables.
      
         GIS tests fixed accordingly.
      
      per-file messages:
        mysql-test/r/gis-rtree.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test result
        mysql-test/r/gis.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test result
        mysql-test/t/gis-rtree.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test fixed - GeomFromWKB invocations removed
        mysql-test/t/gis.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
          test fixed - AsWKB invocations added
        sql/item_geofunc.cc
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash
           Point() and similar functions to create a proper object
[11 Mar 2009 6:34] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/68845

2709 Alexey Botchkov	2009-03-09
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
         the Point() and Linestring() functions create WKB representation of an
         object instead of an real geometry object.
         That produced bugs when these were inserted into tables.
      
         GIS tests fixed accordingly.
      
      per-file messages:
        mysql-test/r/gis-rtree.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/r/gis.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/t/gis-rtree.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - GeomFromWKB invocations removed
        mysql-test/t/gis.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - AsWKB invocations added
        sql/item_geofunc.cc
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
           Point() and similar functions to create a proper object
[23 Mar 2009 12:10] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/70042

2709 Alexey Botchkov	2009-03-23
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
         the Point() and Linestring() functions create WKB representation of an
         object instead of an real geometry object.
         That produced bugs when these were inserted into tables.
      
         GIS tests fixed accordingly.
            
      per-file messages:
        mysql-test/r/gis-rtree.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/r/gis.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/t/gis-rtree.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - GeomFromWKB invocations removed
        mysql-test/t/gis.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - AsWKB invocations added
        sql/item_geofunc.cc
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
           Point() and similar functions to create a proper object
[7 Apr 2009 4:58] Alexander Barkov 
http://lists.mysql.com/commits/70042 is Ok to push.
[28 Apr 2009 11:13] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72897

2735 Alexey Botchkov	2009-04-28
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
         the Point() and Linestring() functions create WKB representation of an
         object instead of an real geometry object.
         That produced bugs when these were inserted into tables.
      
         GIS tests fixed accordingly.
                  
      per-file messages:
        mysql-test/r/gis-rtree.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/r/gis.result
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test result
        mysql-test/t/gis-rtree.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - GeomFromWKB invocations removed
        mysql-test/t/gis.test
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
          test fixed - AsWKB invocations added
        sql/item_geofunc.cc
      Bug#38990 Arbitrary data input plus GIS functions causes mysql server crash 
           Point() and similar functions to create a proper object
[5 May 2009 18:53] Bugs System 
Pushed into 5.0.82 (revid:davi.arnaut@sun.com-20090505184158-dvmedh8n472y8np5) (version source revid:davi.arnaut@sun.com-20090505184158-dvmedh8n472y8np5) (merge vers: 5.0.82) (pib:6)
[5 May 2009 19:41] Bugs System 
Pushed into 5.1.35 (revid:davi.arnaut@sun.com-20090505190206-9xmh7dlc6kom8exp) (version source revid:davi.arnaut@sun.com-20090505190206-9xmh7dlc6kom8exp) (merge vers: 5.1.35) (pib:6)
[6 May 2009 14:10] Bugs System 
Pushed into 6.0.12-alpha (revid:svoj@sun.com-20090506125450-yokcmvqf2g7jhujq) (version source revid:holyfoot@mysql.com-20090429035014-0eqarsso851hl65i) (merge vers: 6.0.11-alpha) (pib:6)
[28 May 2009 17:30] Paul DuBois 
Noted in 5.0.82, 5.1.35, 6.0.12 changelog.

The functions listed in
http://dev.mysql.com/doc/mysql/en/creating-spatial-values.html#gis-mysql-specific-function...
previously accepted WKB arguments and returned WKB values. They now
accept WKB or geometry arguments and return geometry values.

The functions listed in
http://dev.mysql.com/doc/mysql/en/creating-spatial-values.html#gis-wkb-functions
previously accepted WKB arguments and returned geometry values.
They now accept WKB or geometry arguments and return geometry values.
[15 Jun 2009 8:28] Bugs System 
Pushed into 5.1.35-ndb-6.3.26 (revid:jonas@mysql.com-20090615074202-0r5r2jmi83tww6sf) (version source revid:jonas@mysql.com-20090615070837-9pccutgc7repvb4d) (merge vers: 5.1.35-ndb-6.3.26) (pib:6)
[15 Jun 2009 9:07] Bugs System 
Pushed into 5.1.35-ndb-7.0.7 (revid:jonas@mysql.com-20090615074335-9hcltksp5cu5fucn) (version source revid:jonas@mysql.com-20090615072714-rmfkvrbbipd9r32c) (merge vers: 5.1.35-ndb-7.0.7) (pib:6)
[15 Jun 2009 9:48] Bugs System 
Pushed into 5.1.35-ndb-6.2.19 (revid:jonas@mysql.com-20090615061520-sq7ds4yw299ggugm) (version source revid:jonas@mysql.com-20090615054654-ebgpz7elwu1xj36j) (merge vers: 5.1.35-ndb-6.2.19) (pib:6)
[23 Jul 2009 10:24] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090723102221-ps4uaphwbxzj8p0q) (version source revid:joerg@mysql.com-20090721145751-rqqnhv0kage18wfi) (merge vers: 5.4.4-alpha) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System 
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System 
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[8 Oct 2009 20:12] Paul DuBois 
The 5.4 fix has been pushed to 5.4.2.