[postgis-tickets] r14670 - #3461, ST_GeomFromKML crashes Postgres when there are innerBoundaryIs and no outerBoundaryIs

Paul Ramsey pramsey at cleverelephant.ca
Tue Feb 23 09:01:01 PST 2016 

Author: pramsey
Date: 2016-02-23 09:01:01 -0800 (Tue, 23 Feb 2016)
New Revision: 14670

Modified:
   branches/2.1/NEWS
   branches/2.1/postgis/lwgeom_in_kml.c
Log:
#3461, ST_GeomFromKML crashes Postgres when there are innerBoundaryIs and no outerBoundaryIs



Modified: branches/2.1/NEWS
===================================================================
--- branches/2.1/NEWS	2016-02-23 16:57:57 UTC (rev 14669)
+++ branches/2.1/NEWS	2016-02-23 17:01:01 UTC (rev 14670)
@@ -23,7 +23,10 @@
   - #3389, Buffer overflow in lwgeom_to_geojson
   - #3393, ST_Area NaN for some polygons
   - #3436, memory handling mistake in ptarray_clone_deep 
+  - #3461, ST_GeomFromKML crashes Postgres when there are 
+           innerBoundaryIs and no outerBoundaryIs
 
+
 PostGIS 2.1.8
 2015/07/07
 

Modified: branches/2.1/postgis/lwgeom_in_kml.c
===================================================================
--- branches/2.1/postgis/lwgeom_in_kml.c	2016-02-23 16:57:57 UTC (rev 14669)
+++ branches/2.1/postgis/lwgeom_in_kml.c	2016-02-23 17:01:01 UTC (rev 14670)
@@ -384,6 +384,7 @@
 	int ring;
 	xmlNodePtr xa, xb;
 	POINTARRAY **ppa = NULL;
+	int outer_rings = 0;
 
 	for (xa = xnode->children ; xa != NULL ; xa = xa->next)
 	{
@@ -407,8 +408,13 @@
 			        || (!*hasz && !ptarray_is_closed_2d(ppa[0]))
 			        ||  (*hasz && !ptarray_is_closed_3d(ppa[0])))
 				lwerror("invalid KML representation");
+			
+			outer_rings++;
 		}
 	}
+	
+	if (outer_rings != 1)
+		lwerror("invalid KML representation");
 
 	for (ring=1, xa = xnode->children ; xa != NULL ; xa = xa->next)
 	{
@@ -425,8 +431,7 @@
 			if (!is_kml_namespace(xb, false)) continue;
 			if (strcmp((char *) xb->name, "LinearRing")) continue;
 
-			ppa = (POINTARRAY**) lwrealloc((POINTARRAY *) ppa,
-			                               sizeof(POINTARRAY*) * (ring + 1));
+			ppa = (POINTARRAY**) lwrealloc(ppa, sizeof(POINTARRAY*) * (ring + 1));
 			ppa[ring] = parse_kml_coordinates(xb->children, hasz);
 
 			if (ppa[ring]->npoints < 4

More information about the postgis-tickets mailing list