Throw error on malformed WKB input (2.4 branch)

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592
(References #3895)

git-svn-id: http://svn.osgeo.org/postgis/branches/2.4@15960 b70326c6-7e19-0410-871a-916f4a2858ee

diff --git a/NEWS b/NEWS
index 0e930c2b6c49e4474fc26bd0b1b17d1dc11da430..f18bde957557bc10d36b220f3416d657ca57d414 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ YYYY/MM/DD
   - #3874, lw_dist2d_pt_arc division by zero
   - #3882, undefined behaviour in zigzag with negative inputs
   - #3891, undefined behaviour in pointarray_to_encoded_polyline
+  - #3895, throw error on malformed WKB input
 
 
 PostGIS 2.4.0

diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c
index 99308d1c241647dccb8f7792adf795334a09ec75..7a488b2101032b0e039d091d8b6a74ff722972ee 100644 (file)
--- a/liblwgeom/lwin_wkb.c
+++ b/liblwgeom/lwin_wkb.c
@@ -332,9 +332,14 @@ static POINTARRAY* ptarray_from_wkb_state(wkb_parse_state *s)
        size_t pa_size;
        uint32_t ndims = 2;
        uint32_t npoints = 0;
+       static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4;
 
        /* Calculate the size of this point array. */
        npoints = integer_from_wkb_state(s);
+       if (npoints > maxpoints)
+       {
+               lwerror("point array length (%d) is too large");
+       }
 
        LWDEBUGF(4,"Pointarray has %d points", npoints);