It seems CVE-2013-1861 has been fixed in MySQL upstream, but they don't
ship a test case for that. This patch only includes the test case ported
from MariaDB fix:
https://mariadb.atlassian.net/browse/MDEV-4252
 
diff -up mysql-5.6.14/mysql-test/r/gis.result.cve mysql-5.6.14/mysql-test/r/gis.result
--- mysql-5.6.14/mysql-test/r/gis.result.cve	2013-09-10 09:38:27.000000000 +0200
+++ mysql-5.6.14/mysql-test/r/gis.result	2013-10-09 15:08:59.886598028 +0200
@@ -1115,6 +1115,21 @@ SELECT 1 FROM g1 WHERE a >= ANY
 (SELECT 1 FROM g1 WHERE a = geomfromtext('') OR a) ;
 1
 DROP TABLE g1;
+#
+# TODO-424 geometry query crashes server
+#
+select astext(0x0100000000030000000100000000000010);
+astext(0x0100000000030000000100000000000010)
+NULL
+select area(0x0100000000030000000100000000000010);
+area(0x0100000000030000000100000000000010)
+NULL
+select astext(exteriorring(0x0100000000030000000100000000000010));
+astext(exteriorring(0x0100000000030000000100000000000010))
+NULL
+select astext(centroid(0x0100000000030000000100000000000010));
+astext(centroid(0x0100000000030000000100000000000010))
+NULL
 End of 5.5 tests
 DROP DATABASE IF EXISTS gis_ogs;
 CREATE DATABASE gis_ogs;
diff -up mysql-5.6.14/mysql-test/t/gis.test.cve mysql-5.6.14/mysql-test/t/gis.test
--- mysql-5.6.14/mysql-test/t/gis.test.cve	2013-09-10 09:38:27.000000000 +0200
+++ mysql-5.6.14/mysql-test/t/gis.test	2013-10-09 15:08:59.886598028 +0200
@@ -868,6 +868,13 @@ SELECT 1 FROM g1 WHERE a >= ANY
 
 DROP TABLE g1;
 
+--echo #
+--echo # TODO-424 geometry query crashes server
+--echo #
+select astext(0x0100000000030000000100000000000010);
+select area(0x0100000000030000000100000000000010);
+select astext(exteriorring(0x0100000000030000000100000000000010));
+select astext(centroid(0x0100000000030000000100000000000010));
 --echo End of 5.5 tests