Bug #30955 geomfromtext() crasher.

holyfoot/hf@mysql.com/hfmain.(none) · holyfoot/hf@mysql.com/hfmain.(none) · commit a7a6c6eb08f9 · 2007-10-03T13:35:35.000+05:00
end-of-line check missed in Gis_read_stream::get_next_word,
what can lead to crashes (expecially with NULL strings).

End-of-line check added
diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result
@@ -724,4 +724,10 @@ SELECT * FROM t1;
 a
 NULL
 DROP TABLE t1;
+CREATE TABLE `t1` ( `col9` set('a'), `col89` date);
+INSERT INTO `t1` VALUES ('','0000-00-00');
+select geomfromtext(col9,col89) as a from t1;
+a
+NULL
+DROP TABLE t1;
 End of 4.1 tests
diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test
@@ -419,4 +419,12 @@ INSERT INTO t1 VALUES (NULL);
 SELECT * FROM t1;
 DROP TABLE t1;
 
+#
+# Bug #30955 geomfromtext() crasher
+#
+CREATE TABLE `t1` ( `col9` set('a'), `col89` date);
+INSERT INTO `t1` VALUES ('','0000-00-00');
+select geomfromtext(col9,col89) as a from t1;
+DROP TABLE t1;
+
 --echo End of 4.1 tests
diff --git a/sql/gstream.cc b/sql/gstream.cc
@@ -45,7 +45,7 @@ bool Gis_read_stream::get_next_word(LEX_STRING *res)
   skip_space();
   res->str= (char*) m_cur;
   /* The following will also test for \0 */
-  if (!my_isvar_start(&my_charset_bin, *m_cur))
+  if ((m_cur >= m_limit) || !my_isvar_start(&my_charset_bin, *m_cur))
     return 1;
 
   /*
