[postgis-tickets] [SCM] PostGIS branch stable-2.4 updated. 2ad0ddc501dc4bafa0cbb3f42611a4e92208a134
git at osgeo.org
git at osgeo.org
Mon Jan 20 02:39:54 PST 2020
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".
The branch, stable-2.4 has been updated
via 2ad0ddc501dc4bafa0cbb3f42611a4e92208a134 (commit)
from 95a984c4e3b2f51f60b48c1704729c00f5bd59f1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2ad0ddc501dc4bafa0cbb3f42611a4e92208a134
Author: Raúl Marín <git at rmr.ninja>
Date: Fri Jan 17 17:22:42 2020 +0100
Prevent stack overflow when parsing WKB
References #4621
diff --git a/NEWS b/NEWS
index ee53a2a..d4f8075 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@ XXXX/XX/XX
- #4549, Fix schema qualification of internal types (Raúl Marín)
- #4546, Fix PLPGSQL functions missing the schema qualification (Raúl Marín)
- #4588, Fix update when st_union(geometry) doesn't exist (Raúl Marín)
+ - #4621, Prevent stack overflow when parsing WKB (Raúl Marín)
PostGIS 2.4.8
diff --git a/liblwgeom/cunit/cu_in_wkb.c b/liblwgeom/cunit/cu_in_wkb.c
index 6ba8e61..7a69575 100644
--- a/liblwgeom/cunit/cu_in_wkb.c
+++ b/liblwgeom/cunit/cu_in_wkb.c
@@ -252,6 +252,14 @@ test_wkb_leak(void)
001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001, 001};
g = lwgeom_from_wkb(wkb2, 319, LW_PARSER_CHECK_NONE);
lwgeom_free(g);
+
+ /* OSS-FUZZ: https://trac.osgeo.org/postgis/ticket/4621 */
+ uint32_t big_size = 20000000;
+ uint8_t *wkb5 = lwalloc(big_size);
+ memset(wkb5, 0x01, big_size);
+ g = lwgeom_from_wkb(wkb5, big_size, LW_PARSER_CHECK_NONE);
+ lwgeom_free(g);
+ lwfree(wkb5);
}
/*
diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c
index f093995..7fe12e1 100644
--- a/liblwgeom/lwin_wkb.c
+++ b/liblwgeom/lwin_wkb.c
@@ -29,6 +29,9 @@
#include "lwgeom_log.h"
#include <math.h>
+/** Max depth in a geometry. Matches the default YYINITDEPTH for WKT */
+#define LW_PARSER_MAX_DEPTH 200
+
/**
* Used for passing the parse state between the parsing functions.
*/
@@ -43,6 +46,7 @@ typedef struct
int has_z; /* Z? */
int has_m; /* M? */
int has_srid; /* SRID? */
+ uint8_t depth; /* Current recursion level (to prevent stack overflows). Maxes at LW_PARSER_MAX_DEPTH */
const uint8_t *pos; /* Current parse position */
} wkb_parse_state;
@@ -650,6 +654,13 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
if ( s->lwtype == POLYHEDRALSURFACETYPE )
s->check |= LW_PARSER_CHECK_ZCLOSURE;
+ s->depth++;
+ if (s->depth >= LW_PARSER_MAX_DEPTH)
+ {
+ lwcollection_free(col);
+ lwerror("Geometry has too many chained collections");
+ return NULL;
+ }
for ( i = 0; i < ngeoms; i++ )
{
geom = lwgeom_from_wkb_state(s);
@@ -661,6 +672,7 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
return NULL;
}
}
+ s->depth--;
return col;
}
@@ -784,6 +796,7 @@ LWGEOM* lwgeom_from_wkb(const uint8_t *wkb, const size_t wkb_size, const char ch
s.has_m = LW_FALSE;
s.has_srid = LW_FALSE;
s.pos = wkb;
+ s.depth = 1;
/* Hand the check catch-all values */
if ( check & LW_PARSER_CHECK_NONE )
-----------------------------------------------------------------------
Summary of changes:
NEWS | 1 +
liblwgeom/cunit/cu_in_wkb.c | 8 ++++++++
liblwgeom/lwin_wkb.c | 13 +++++++++++++
3 files changed, 22 insertions(+)
hooks/post-receive
--
PostGIS
More information about the postgis-tickets
mailing list