From: Paul Ramsey <pramsey@cleverelephant.ca>
Date: Tue, 10 Oct 2017 22:45:47 +0000 (+0000)
Subject: Throw error on malformed WKB input (2.4 branch)
X-Git-Tag: 2.4.1~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d6ba826e31381a3c220b939dc51db520a34719ed;p=postgis

Throw error on malformed WKB input (2.4 branch)
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592
(References #3895)



git-svn-id: http://svn.osgeo.org/postgis/branches/2.4@15960 b70326c6-7e19-0410-871a-916f4a2858ee
---

diff --git a/NEWS b/NEWS
index 0e930c2b6..f18bde957 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ YYYY/MM/DD
   - #3874, lw_dist2d_pt_arc division by zero
   - #3882, undefined behaviour in zigzag with negative inputs
   - #3891, undefined behaviour in pointarray_to_encoded_polyline
+  - #3895, throw error on malformed WKB input
 
 
 PostGIS 2.4.0
diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c
index 99308d1c2..7a488b210 100644
--- a/liblwgeom/lwin_wkb.c
+++ b/liblwgeom/lwin_wkb.c
@@ -332,9 +332,14 @@ static POINTARRAY* ptarray_from_wkb_state(wkb_parse_state *s)
 	size_t pa_size;
 	uint32_t ndims = 2;
 	uint32_t npoints = 0;
+	static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4;
 
 	/* Calculate the size of this point array. */
 	npoints = integer_from_wkb_state(s);
+	if (npoints > maxpoints)
+	{
+		lwerror("point array length (%d) is too large");
+	}
 
 	LWDEBUGF(4,"Pointarray has %d points", npoints);