From d6ba826e31381a3c220b939dc51db520a34719ed Mon Sep 17 00:00:00 2001 From: Paul Ramsey Date: Tue, 10 Oct 2017 22:45:47 +0000 Subject: [PATCH] Throw error on malformed WKB input (2.4 branch) Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589 Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590 Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591 Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592 (References #3895) git-svn-id: http://svn.osgeo.org/postgis/branches/2.4@15960 b70326c6-7e19-0410-871a-916f4a2858ee --- NEWS | 1 + liblwgeom/lwin_wkb.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/NEWS b/NEWS index 0e930c2b6..f18bde957 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,7 @@ YYYY/MM/DD - #3874, lw_dist2d_pt_arc division by zero - #3882, undefined behaviour in zigzag with negative inputs - #3891, undefined behaviour in pointarray_to_encoded_polyline + - #3895, throw error on malformed WKB input PostGIS 2.4.0 diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c index 99308d1c2..7a488b210 100644 --- a/liblwgeom/lwin_wkb.c +++ b/liblwgeom/lwin_wkb.c @@ -332,9 +332,14 @@ static POINTARRAY* ptarray_from_wkb_state(wkb_parse_state *s) size_t pa_size; uint32_t ndims = 2; uint32_t npoints = 0; + static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4; /* Calculate the size of this point array. */ npoints = integer_from_wkb_state(s); + if (npoints > maxpoints) + { + lwerror("point array length (%d) is too large"); + } LWDEBUGF(4,"Pointarray has %d points", npoints); -- 2.50.1