[postgis-tickets] [SCM] PostGIS branch master updated. 07fa25e445e99075682fcf0191fb1b62d59e9446

git at osgeo.org git at osgeo.org
Mon Jan 20 02:33:44 PST 2020 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".

The branch, master has been updated
       via  07fa25e445e99075682fcf0191fb1b62d59e9446 (commit)
       via  f89db5ac34462073be8cfb835a2ea9256ea42cf6 (commit)
      from  b3fa5083d3d4d0457379775f6d40461926e012ad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 07fa25e445e99075682fcf0191fb1b62d59e9446
Author: Raúl Marín <git at rmr.ninja>
Date:   Fri Jan 17 17:22:42 2020 +0100

    Prevent stack overflow when parsing WKB
    
    References #4621
    Closes https://github.com/postgis/postgis/pull/536

diff --git a/NEWS b/NEWS
index 28e2b7c..d862af0 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,7 @@ PostGIS 3.1.0
   - #4599, ST_AddPoint: Accept -1 as a valid position (Raúl Marín)
   - #4600, Improve precision of ST_TileEnvelope (Raúl Marín)
   - #4608, PG12: Fix several bugs in the index support function (Raúl Marín)
+  - #4621, Prevent stack overflow when parsing WKB (Raúl Marín)
 
 
 PostGIS 3.0.0
diff --git a/liblwgeom/cunit/cu_in_wkb.c b/liblwgeom/cunit/cu_in_wkb.c
index 72fd0e8..4bd9bd5 100644
--- a/liblwgeom/cunit/cu_in_wkb.c
+++ b/liblwgeom/cunit/cu_in_wkb.c
@@ -267,6 +267,14 @@ test_wkb_fuzz(void)
 			    0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00};
 	g = lwgeom_from_wkb(wkb4, 22, LW_PARSER_CHECK_NONE);
 	lwgeom_free(g);
+
+	/* OSS-FUZZ: https://trac.osgeo.org/postgis/ticket/4621 */
+	uint32_t big_size = 20000000;
+	uint8_t *wkb5 = lwalloc(big_size);
+	memset(wkb5, 0x01, big_size);
+	g = lwgeom_from_wkb(wkb5, big_size, LW_PARSER_CHECK_NONE);
+	lwgeom_free(g);
+	lwfree(wkb5);
 }
 
 /*
diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c
index 423601f..02b6eec 100644
--- a/liblwgeom/lwin_wkb.c
+++ b/liblwgeom/lwin_wkb.c
@@ -30,6 +30,9 @@
 #include <math.h>
 #include <limits.h>
 
+/** Max depth in a geometry. Matches the default YYINITDEPTH for WKT */
+#define LW_PARSER_MAX_DEPTH 200
+
 /**
 * Used for passing the parse state between the parsing functions.
 */
@@ -45,6 +48,7 @@ typedef struct
 	int8_t has_m;       /* M? */
 	int8_t has_srid;    /* SRID? */
 	int8_t error;       /* An error was found (not enough bytes to read) */
+	uint8_t depth;      /* Current recursion level (to prevent stack overflows). Maxes at LW_PARSER_MAX_DEPTH */
 	const uint8_t *pos; /* Current parse position */
 } wkb_parse_state;
 
@@ -685,6 +689,13 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
 	if ( s->lwtype == POLYHEDRALSURFACETYPE )
 		s->check |= LW_PARSER_CHECK_ZCLOSURE;
 
+	s->depth++;
+	if (s->depth >= LW_PARSER_MAX_DEPTH)
+	{
+		lwcollection_free(col);
+		lwerror("Geometry has too many chained collections");
+		return NULL;
+	}
 	for ( i = 0; i < ngeoms; i++ )
 	{
 		geom = lwgeom_from_wkb_state(s);
@@ -696,6 +707,7 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
 			return NULL;
 		}
 	}
+	s->depth--;
 
 	return col;
 }
@@ -823,6 +835,7 @@ LWGEOM* lwgeom_from_wkb(const uint8_t *wkb, const size_t wkb_size, const char ch
 	s.has_srid = LW_FALSE;
 	s.error = LW_FALSE;
 	s.pos = wkb;
+	s.depth = 1;
 
 	if (!wkb || !wkb_size)
 		return NULL;

commit f89db5ac34462073be8cfb835a2ea9256ea42cf6
Author: Raúl Marín <git at rmr.ninja>
Date:   Mon Jan 20 11:32:23 2020 +0100

    NEWS typo

diff --git a/NEWS b/NEWS
index 3af0b21..28e2b7c 100644
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,7 @@ PostGIS 3.1.0
   - #2972, Add quiet mode (-q) to pgsql2shp (Kristian Thy)
   - #4617, Add configure switch `--without-phony-revision` (Raúl Marín)
   - #3057, Optional value params for Force3D*, Force4D functions (Kristian Thy)
-  - ST_HexagonGrid and ST_SquareGrid, set returning funcitons to
+  - ST_HexagonGrid and ST_SquareGrid, set returning functions to
     generate tilings of the plane (Paul Ramsey)
 
 * Enhancements *

-----------------------------------------------------------------------

Summary of changes:
 NEWS                        |  3 ++-
 liblwgeom/cunit/cu_in_wkb.c |  8 ++++++++
 liblwgeom/lwin_wkb.c        | 13 +++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
PostGIS

More information about the postgis-tickets mailing list