1 files changed, 174 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch b/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch
new file mode 100644
index 0000000000..df2e7086c4
--- /dev/null
+++ b/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch
@@ -0,0 +1,174 @@
+From 24404044ad4c28026e400e1fcd85358f2060aa96 Mon Sep 17 00:00:00 2001
+From: Alexey Botchkov <holyfoot@askmonty.org>
+Date: Sun, 10 Mar 2013 23:08:05 +0400
+Subject: [PATCH] MDEV-4252 geometry query crashes server.       The bug was
+ found by Alyssa Milburn.       If the number of points of a geometry feature
+ read from       binary representation is greater than 0x10000000, then      
+ the (uint32) (num_points * 16) will cut the higher byte,       which leads to
+ various errors.       Fixed by additional check if (num_points >
+ max_n_points).
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+---
+ mysql-test/r/gis.result |  3 +++
+ mysql-test/t/gis.test   |  1 +
+ sql/spatial.cc          | 27 ++++++++++++++++++---------
+ sql/spatial.h           |  9 +++++----
+ 4 files changed, 27 insertions(+), 13 deletions(-)
+diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result
+index 8dad72f..69e73d0 100644
+--- a/mysql-test/r/gis.result
+++ b/mysql-test/r/gis.result
+@@ -1087,4 +1087,7 @@ NULL
+ #
+ SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
+ ERROR 22007: Illegal non geometric '' value found during parsing
+select astext(0x0100000000030000000100000000000010);
+astext(0x0100000000030000000100000000000010)
+NULL
+ End of 5.1 tests
+diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test
+index abda3e9..cc5d158 100644
+--- a/mysql-test/t/gis.test
+++ b/mysql-test/t/gis.test
+@@ -826,5 +826,6 @@ SELECT ISCLOSED(CONVERT(CONCAT('     ', 0x2), BINARY(20)));
+ --error ER_ILLEGAL_VALUE_FOR_TYPE
+ SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
+ 
+select astext(0x0100000000030000000100000000000010);
+ 
+ --echo End of 5.1 tests
+diff --git a/sql/spatial.cc b/sql/spatial.cc
+index eec028e..94d0238 100644
+--- a/sql/spatial.cc
+++ b/sql/spatial.cc
+@@ -556,7 +556,7 @@ bool Gis_line_string::get_data_as_wkt(String *txt, const char **end) const
+   n_points= uint4korr(data);
+   data += 4;
+ 
+-  if (n_points < 1 ||
+  if (n_points < 1 || n_points > max_n_points ||
+       no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points) ||
+       txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)*2 + 1) * n_points))
+     return 1;
+@@ -594,7 +594,8 @@ int Gis_line_string::geom_length(double *len) const
+     return 1;
+   n_points= uint4korr(data);
+   data+= 4;
+-  if (n_points < 1 || no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
+  if (n_points < 1 || n_points > max_n_points ||
+      no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
+     return 1;
+ 
+   get_point(&prev_x, &prev_y, data);
+@@ -628,7 +629,7 @@ int Gis_line_string::is_closed(int *closed) const
+     return 0;
+   }
+   data+= 4;
+-  if (n_points == 0 ||
+  if (n_points == 0 || n_points > max_n_points ||
+       no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
+     return 1;
+ 
+@@ -798,7 +799,8 @@ bool Gis_polygon::get_data_as_wkt(String *txt, const char **end) const
+       return 1;
+     n_points= uint4korr(data);
+     data+= 4;
+-    if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points) ||
+    if (n_points > max_n_points ||
+        no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points) ||
+        txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
+       return 1;
+     txt->qs_append('(');
+@@ -852,7 +854,8 @@ int Gis_polygon::area(double *ar, const char **end_of_data) const
+     if (no_data(data, 4))
+       return 1;
+     n_points= uint4korr(data);
+-    if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points))
+    if (n_points > max_n_points ||
+        no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points))
+       return 1;
+     get_point(&prev_x, &prev_y, data+4);
+     data+= (4+SIZEOF_STORED_DOUBLE*2);
+@@ -888,7 +891,8 @@ int Gis_polygon::exterior_ring(String *result) const
+   n_points= uint4korr(data);
+   data+= 4;
+   length= n_points * POINT_DATA_SIZE;
+-  if (no_data(data, length) || result->reserve(1+4+4+ length))
+  if (n_points > max_n_points ||
+      no_data(data, length) || result->reserve(1+4+4+ length))
+     return 1;
+ 
+   result->q_append((char) wkb_ndr);
+@@ -973,7 +977,8 @@ int Gis_polygon::centroid_xy(double *x, double *y) const
+       return 1;
+     org_n_points= n_points= uint4korr(data);
+     data+= 4;
+-    if (no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points))
+    if (n_points > max_n_points ||
+        no_data(data, (SIZEOF_STORED_DOUBLE*2) * n_points))
+       return 1;
+     get_point(&prev_x, &prev_y, data);
+     data+= (SIZEOF_STORED_DOUBLE*2);
+@@ -1260,7 +1265,8 @@ bool Gis_multi_line_string::get_data_as_wkt(String *txt,
+       return 1;
+     n_points= uint4korr(data + WKB_HEADER_SIZE);
+     data+= WKB_HEADER_SIZE + 4;
+-    if (no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) ||
+    if (n_points > max_n_points ||
+        no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) ||
+        txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
+       return 1;
+     txt->qs_append('(');
+@@ -1521,7 +1527,8 @@ bool Gis_multi_polygon::get_data_as_wkt(String *txt, const char **end) const
+         return 1;
+       uint32 n_points= uint4korr(data);
+       data+= 4;
+-      if (no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) ||
+      if (n_points > max_n_points ||
+          no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) ||
+          txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points,
+                       512))
+        return 1;
+@@ -1604,6 +1611,8 @@ int Gis_multi_polygon::geometry_n(uint32 num, String *result) const
+       if (no_data(data, 4))
+        return 1;
+       n_points= uint4korr(data);
+      if (n_points > max_n_points)
+        return 1;
+       data+= 4 + POINT_DATA_SIZE * n_points;
+     }
+   } while (--num);
+diff --git a/sql/spatial.h b/sql/spatial.h
+index 20b3856..7d25425 100644
+--- a/sql/spatial.h
+++ b/sql/spatial.h
+@@ -197,6 +197,11 @@ struct MBR
+ class Geometry
+ {
+ public:
+  // Maximum number of points in feature that can fit into String
+  static const uint32 max_n_points=
+    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+    POINT_DATA_SIZE;
+public:
+   Geometry() {}                               /* Remove gcc warning */
+   virtual ~Geometry() {}                        /* Remove gcc warning */
+   static void *operator new(size_t size, void *buffer)
+@@ -379,10 +384,6 @@ class Gis_point: public Geometry
+ 
+ class Gis_line_string: public Geometry
+ {
+-  // Maximum number of points in LineString that can fit into String
+-  static const uint32 max_n_points=
+-    (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
+-    POINT_DATA_SIZE;
+ public:
+   Gis_line_string() {}                        /* Remove gcc warning */
+   virtual ~Gis_line_string() {}               /* Remove gcc warning */
+-- 
+1.8.1.6

diff --git a/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch b/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch new file mode 100644 index 0000000000..df2e7086c4 --- /dev/null +++ b/meta-oe/recipes-support/mysql/mariadb/fix-cve-2013-1861-1.patch
@@ -0,0 +1,174 @@
	1	From 24404044ad4c28026e400e1fcd85358f2060aa96 Mon Sep 17 00:00:00 2001
	2	From: Alexey Botchkov <holyfoot@askmonty.org>
	3	Date: Sun, 10 Mar 2013 23:08:05 +0400
	4	Subject: [PATCH] MDEV-4252 geometry query crashes server. The bug was
	5	found by Alyssa Milburn. If the number of points of a geometry feature
	6	read from binary representation is greater than 0x10000000, then
	7	the (uint32) (num_points * 16) will cut the higher byte, which leads to
	8	various errors. Fixed by additional check if (num_points >
	9	max_n_points).
	10
	11	Upstream-Status: Backport
	12	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
	13
	14	---
	15	mysql-test/r/gis.result \| 3 +++
	16	mysql-test/t/gis.test \| 1 +
	17	sql/spatial.cc \| 27 ++++++++++++++++++---------
	18	sql/spatial.h \| 9 +++++----
	19	4 files changed, 27 insertions(+), 13 deletions(-)
	20
	21	diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result
	22	index 8dad72f..69e73d0 100644
	23	--- a/mysql-test/r/gis.result
	24	+++ b/mysql-test/r/gis.result
	25	@@ -1087,4 +1087,7 @@ NULL
	26	#
	27	SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
	28	ERROR 22007: Illegal non geometric '' value found during parsing
	29	+select astext(0x0100000000030000000100000000000010);
	30	+astext(0x0100000000030000000100000000000010)
	31	+NULL
	32	End of 5.1 tests
	33	diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test
	34	index abda3e9..cc5d158 100644
	35	--- a/mysql-test/t/gis.test
	36	+++ b/mysql-test/t/gis.test
	37	@@ -826,5 +826,6 @@ SELECT ISCLOSED(CONVERT(CONCAT(' ', 0x2), BINARY(20)));
	38	--error ER_ILLEGAL_VALUE_FOR_TYPE
	39	SELECT GEOMETRYCOLLECTION((SELECT @@OLD));
	40
	41	+select astext(0x0100000000030000000100000000000010);
	42
	43	--echo End of 5.1 tests
	44	diff --git a/sql/spatial.cc b/sql/spatial.cc
	45	index eec028e..94d0238 100644
	46	--- a/sql/spatial.cc
	47	+++ b/sql/spatial.cc
	48	@@ -556,7 +556,7 @@ bool Gis_line_string::get_data_as_wkt(String txt, const char *end) const
	49	n_points= uint4korr(data);
	50	data += 4;
	51
	52	- if (n_points < 1 \|\|
	53	+ if (n_points < 1 \|\| n_points > max_n_points \|\|
	54	no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points) \|\|
	55	txt->reserve(((MAX_DIGITS_IN_DOUBLE + 1)2 + 1) n_points))
	56	return 1;
	57	@@ -594,7 +594,8 @@ int Gis_line_string::geom_length(double *len) const
	58	return 1;
	59	n_points= uint4korr(data);
	60	data+= 4;
	61	- if (n_points < 1 \|\| no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
	62	+ if (n_points < 1 \|\| n_points > max_n_points \|\|
	63	+ no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
	64	return 1;
	65
	66	get_point(&prev_x, &prev_y, data);
	67	@@ -628,7 +629,7 @@ int Gis_line_string::is_closed(int *closed) const
	68	return 0;
	69	}
	70	data+= 4;
	71	- if (n_points == 0 \|\|
	72	+ if (n_points == 0 \|\| n_points > max_n_points \|\|
	73	no_data(data, SIZEOF_STORED_DOUBLE * 2 * n_points))
	74	return 1;
	75
	76	@@ -798,7 +799,8 @@ bool Gis_polygon::get_data_as_wkt(String txt, const char *end) const
	77	return 1;
	78	n_points= uint4korr(data);
	79	data+= 4;
	80	- if (no_data(data, (SIZEOF_STORED_DOUBLE2) n_points) \|\|
	81	+ if (n_points > max_n_points \|\|
	82	+ no_data(data, (SIZEOF_STORED_DOUBLE2) n_points) \|\|
	83	txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
	84	return 1;
	85	txt->qs_append('(');
	86	@@ -852,7 +854,8 @@ int Gis_polygon::area(double ar, const char *end_of_data) const
	87	if (no_data(data, 4))
	88	return 1;
	89	n_points= uint4korr(data);
	90	- if (no_data(data, (SIZEOF_STORED_DOUBLE2) n_points))
	91	+ if (n_points > max_n_points \|\|
	92	+ no_data(data, (SIZEOF_STORED_DOUBLE2) n_points))
	93	return 1;
	94	get_point(&prev_x, &prev_y, data+4);
	95	data+= (4+SIZEOF_STORED_DOUBLE*2);
	96	@@ -888,7 +891,8 @@ int Gis_polygon::exterior_ring(String *result) const
	97	n_points= uint4korr(data);
	98	data+= 4;
	99	length= n_points * POINT_DATA_SIZE;
	100	- if (no_data(data, length) \|\| result->reserve(1+4+4+ length))
	101	+ if (n_points > max_n_points \|\|
	102	+ no_data(data, length) \|\| result->reserve(1+4+4+ length))
	103	return 1;
	104
	105	result->q_append((char) wkb_ndr);
	106	@@ -973,7 +977,8 @@ int Gis_polygon::centroid_xy(double x, double y) const
	107	return 1;
	108	org_n_points= n_points= uint4korr(data);
	109	data+= 4;
	110	- if (no_data(data, (SIZEOF_STORED_DOUBLE2) n_points))
	111	+ if (n_points > max_n_points \|\|
	112	+ no_data(data, (SIZEOF_STORED_DOUBLE2) n_points))
	113	return 1;
	114	get_point(&prev_x, &prev_y, data);
	115	data+= (SIZEOF_STORED_DOUBLE*2);
	116	@@ -1260,7 +1265,8 @@ bool Gis_multi_line_string::get_data_as_wkt(String *txt,
	117	return 1;
	118	n_points= uint4korr(data + WKB_HEADER_SIZE);
	119	data+= WKB_HEADER_SIZE + 4;
	120	- if (no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) \|\|
	121	+ if (n_points > max_n_points \|\|
	122	+ no_data(data, n_points * (SIZEOF_STORED_DOUBLE*2)) \|\|
	123	txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points))
	124	return 1;
	125	txt->qs_append('(');
	126	@@ -1521,7 +1527,8 @@ bool Gis_multi_polygon::get_data_as_wkt(String txt, const char *end) const
	127	return 1;
	128	uint32 n_points= uint4korr(data);
	129	data+= 4;
	130	- if (no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) \|\|
	131	+ if (n_points > max_n_points \|\|
	132	+ no_data(data, (SIZEOF_STORED_DOUBLE * 2) * n_points) \|\|
	133	txt->reserve(2 + ((MAX_DIGITS_IN_DOUBLE + 1) * 2 + 1) * n_points,
	134	512))
	135	return 1;
	136	@@ -1604,6 +1611,8 @@ int Gis_multi_polygon::geometry_n(uint32 num, String *result) const
	137	if (no_data(data, 4))
	138	return 1;
	139	n_points= uint4korr(data);
	140	+ if (n_points > max_n_points)
	141	+ return 1;
	142	data+= 4 + POINT_DATA_SIZE * n_points;
	143	}
	144	} while (--num);
	145	diff --git a/sql/spatial.h b/sql/spatial.h
	146	index 20b3856..7d25425 100644
	147	--- a/sql/spatial.h
	148	+++ b/sql/spatial.h
	149	@@ -197,6 +197,11 @@ struct MBR
	150	class Geometry
	151	{
	152	public:
	153	+ // Maximum number of points in feature that can fit into String
	154	+ static const uint32 max_n_points=
	155	+ (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
	156	+ POINT_DATA_SIZE;
	157	+public:
	158	Geometry() {} /* Remove gcc warning */
	159	virtual ~Geometry() {} /* Remove gcc warning */
	160	static void operator new(size_t size, void buffer)
	161	@@ -379,10 +384,6 @@ class Gis_point: public Geometry
	162
	163	class Gis_line_string: public Geometry
	164	{
	165	- // Maximum number of points in LineString that can fit into String
	166	- static const uint32 max_n_points=
	167	- (uint32) (UINT_MAX32 - WKB_HEADER_SIZE - 4 /* n_points */) /
	168	- POINT_DATA_SIZE;
	169	public:
	170	Gis_line_string() {} /* Remove gcc warning */
	171	virtual ~Gis_line_string() {} /* Remove gcc warning */
	172	--
	173	1.8.1.6
	174