Bug #51875 crash when loading data into geometry function polyfromwkb
Submitted: 9 Mar 2010 16:19 Modified: 14 Apr 2011 13:15
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S1 (Critical)
Version:5.0.90,5.1.44 OS:Any
Assigned to: Ramil Kalimullin
Tags: crash, polyfromwkb
Triage: Triaged: D1 (Critical)

[9 Mar 2010 16:19] Shane Bester
Description:
5.1.44 stack trace:

mysqld-debug.exe!get_point()[spatial.cc:126]
mysqld-debug.exe!Gis_line_string::is_closed()[spatial.cc:632]
mysqld-debug.exe!Gis_polygon::init_from_wkb()[spatial.cc:762]
mysqld-debug.exe!Geometry::create_from_wkb()[spatial.cc:257]
mysqld-debug.exe!Item_func_geometry_from_wkb::val_str()[item_geofunc.cc:107]
mysqld-debug.exe!Item::save_in_field()[item.cc:5106]
mysqld-debug.exe!fill_record()[sql_base.cc:8156]
mysqld-debug.exe!fill_record_n_invoke_before_triggers()[sql_base.cc:8201]
mysqld-debug.exe!read_sep_field()[sql_load.cc:999]
mysqld-debug.exe!mysql_load()[sql_load.cc:439]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:3459]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5975]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1235]
mysqld-debug.exe!do_command()[sql_parse.cc:874]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1127]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:295]
mysqld-debug.exe!_threadstart()[thread.c:277]
kernel32.dll!BaseThreadStart()

How to repeat:
drop table if exists t1;
create table t1(a int)engine=myisam;
load data infile '/tmp/data.bin' into table `t1`
fields terminated by 'E'
(@`var1`,@`var1`)
set `a`=polyfromwkb(@`var1`);
[9 Mar 2010 16:21] Shane Bester
data.bin

Attachment: data.bin (application/octet-stream, text), 174.27 KiB.

[9 Mar 2010 16:29] Valerii Kravchuk
I do not see a crash with recent 5.1.45 from bzr on Mac OS X:

77-52-24-143:5.1 openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.1.45-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists t1;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> create table t1(a int)engine=myisam;
Query OK, 0 rows affected (0.07 sec)

mysql> load data infile '/Users/openxs/Downloads/data.bin' into table `t1`
    -> fields terminated by 'E'
    -> (@`var1`,@`var1`)
    -> set `a`=polyfromwkb(@`var1`);
Query OK, 242 rows affected, 73 warnings (0.06 sec)
Records: 242  Deleted: 0  Skipped: 0  Warnings: 71
[9 Mar 2010 16:57] Miguel Solorzano
100309 13:31:23 [Note] Plugin 'FEDERATED' is disabled.
100309 13:31:24 [Note] Event Scheduler: Loaded 0 events
100309 13:31:24 [Note] C:\DBS\5.1\bin\mysqld: ready for connections.
Version: '5.1.46-Win X64-debug-log'  socket: ''  port: 3306  Source distribution
100309 13:33:26 - mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=131072
max_used_connections=1
max_threads=151
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338112 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0xc71ee8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
00000001403F7595    mysqld.exe!get_point()[spatial.cc:126]
00000001403F8482    mysqld.exe!Gis_line_string::is_closed()[spatial.cc:632]
00000001403F8BC3    mysqld.exe!Gis_polygon::init_from_wkb()[spatial.cc:762]
00000001403F70A0    mysqld.exe!Geometry::create_from_wkb()[spatial.cc:257]
00000001403656B3    mysqld.exe!Item_func_geometry_from_wkb::val_str()[item_geofunc.cc:107]
00000001401EF549    mysqld.exe!Item::save_in_field()[item.cc:5122]
000000014017A1AA    mysqld.exe!fill_record()[sql_base.cc:8170]
0000000140179EFC    mysqld.exe!fill_record_n_invoke_before_triggers()[sql_base.cc:8215]
00000001403A8576    mysqld.exe!read_sep_field()[sql_load.cc:999]
00000001403A645D    mysqld.exe!mysql_load()[sql_load.cc:439]
000000014020A899    mysqld.exe!mysql_execute_command()[sql_parse.cc:3459]
0000000140213735    mysqld.exe!mysql_parse()[sql_parse.cc:5975]
000000014020423B    mysqld.exe!dispatch_command()[sql_parse.cc:1235]
00000001402034EA    mysqld.exe!do_command()[sql_parse.cc:874]
00000001400C7235    mysqld.exe!handle_one_connection()[sql_connect.cc:1127]
0000000140604D45    mysqld.exe!pthread_start()[my_winthread.c:85]
00000001405DAFB5    mysqld.exe!_callthreadstart()[thread.c:295]
00000001405DAF87    mysqld.exe!_threadstart()[thread.c:277]
0000000077A7BE3D    kernel32.dll!BaseThreadInitThunk()
0000000077BB6A51    ntdll.dll!RtlUserThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0000000000CF1E58=load data infile 'c:/dbs/5.1/data.bin' into table `t1`
fields terminated by 'E'
(@`var1`,@`var1`)
set `a`=polyfromwkb(@`var1`)
thd->thread_id=2
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
[30 Aug 2010 7:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/117094

3494 Ramil Kalimullin	2010-08-30
      Fix for bug #51875: crash when loading data into geometry function polyfromwkb
      
      Check for number of line strings in the incoming polygon data (wkb) and
      for number of points in the incoming linestring wkb.
     @ mysql-test/r/gis.result
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - test result.
     @ mysql-test/t/gis.test
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - test case.
     @ sql/spatial.cc
        Fix for bug #51875: crash when loading data into geometry function polyfromwkb
          - creating a polygon from wkb check for number of line strings,
          - creating a linestring from wkb check for number of line points.
[8 Sep 2010 19:05] Paul Dubois
Noted in 5.1.51, 5.5.7 changelogs.

The PolyFromWKB() function could crash the server when improper WKB
data was passed to the function.
[28 Sep 2010 8:48] Bugs System
Pushed into mysql-5.1 5.1.52 (revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (version source revid:sunanda.menon@sun.com-20100928083322-wangbv97uobu7g66) (merge vers: 5.1.52) (pib:21)
[28 Sep 2010 15:40] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@sun.com-20100928153607-tdsxkdm5cmuym5sq) (version source revid:alik@sun.com-20100928153508-0saa6v93dinqx1u7) (merge vers: 5.6.1-m4) (pib:21)
[28 Sep 2010 15:42] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100928153646-pqp8o1a92mxtuj3h) (version source revid:alik@sun.com-20100928153532-lr3gtvnyp2en4y75) (pib:21)
[28 Sep 2010 15:44] Bugs System
Pushed into mysql-5.5 5.5.7-rc (revid:alik@sun.com-20100928153459-4nudf4zgzlou4s7q) (version source revid:alik@sun.com-20100928153459-4nudf4zgzlou4s7q) (merge vers: 5.5.7-rc) (pib:21)
[28 Sep 2010 19:29] Paul Dubois
Noted in 5.6.1 changelog.
[14 Oct 2010 8:39] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:54] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:11] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 14:17] Jon Stephens
Already documented in the 5.1.51 changelog; no additional changelog entries required. Set back to Closed state.
[15 Oct 2010 5:21] Shane Bester
still crashes 5.0.91:

Invalid read of size 8
at 0x6B5A8B: Gis_polygon::init_from_wkb (spatial.cc:123)
by 0x6B20CD: Geometry::create_from_wkb (spatial.cc:254)
by 0x55C519: Item_func_geometry_from_wkb::val_str (item_geofunc.cc:97)
by 0x4EF9C1: Item::save_in_field (item.cc:4735)
by 0x5C8A79: fill_record_n_invoke_before_triggers (sql_base.cc:5830)
by 0x67C5D8: mysql_load (sql_load.cc:835)
by 0x5A8EA6: mysql_execute_command (sql_parse.cc:4139)
by 0x5AB9A6: mysql_parse (sql_parse.cc:6470)
by 0x5ACBCA: dispatch_command (sql_parse.cc:1966)
by 0x5AE2A8: handle_one_connection (sql_parse.cc:1647)
by 0x30E1807760: start_thread (pthread_create.c:301)
 Address 0x108a405a1 is not stack'd, malloc'd or (recently) free'd
[3 Nov 2010 19:51] Paul Dubois
CVE-2010-3840
[14 Apr 2011 13:15] Paul Dubois
Noted in 5.0.93 changelog.