[postgis-tickets] r15958 - Throw error on malformed WKB input (2.2 branch)

Tue Oct 10 15:44:56 PDT 2017

Author: pramsey
Date: 2017-10-10 15:44:55 -0700 (Tue, 10 Oct 2017)
New Revision: 15958

Modified:
   branches/2.2/NEWS
   branches/2.2/liblwgeom/lwin_wkb.c
Log:
Throw error on malformed WKB input (2.2 branch)
Credit to OSS-Fuzz: ?\226?\128?\139https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589
Credit to OSS-Fuzz: ?\226?\128?\139https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590
Credit to OSS-Fuzz: ?\226?\128?\139https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591
Credit to OSS-Fuzz: ?\226?\128?\139https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592
(References #3895)



Modified: branches/2.2/NEWS
===================================================================

--- branches/2.2/NEWS	2017-10-10 20:48:55 UTC (rev 15957)
+++ branches/2.2/NEWS	2017-10-10 22:44:55 UTC (rev 15958)
@@ -16,6 +16,7 @@
   - #3874, lw_dist2d_pt_arc division by zero
   - #3882, undefined behaviour in zigzag with negative inputs
   - #3891, undefined behaviour in pointarray_to_encoded_polyline
+  - #3895, throw error on malformed WKB input
 
 
 PostGIS 2.2.5

Modified: branches/2.2/liblwgeom/lwin_wkb.c
===================================================================
--- branches/2.2/liblwgeom/lwin_wkb.c	2017-10-10 20:48:55 UTC (rev 15957)
+++ branches/2.2/liblwgeom/lwin_wkb.c	2017-10-10 22:44:55 UTC (rev 15958)
@@ -318,9 +318,14 @@
 	size_t pa_size;
 	uint32_t ndims = 2;
 	uint32_t npoints = 0;
+	static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4;
 
 	/* Calculate the size of this point array. */
 	npoints = integer_from_wkb_state(s);
+	if (npoints > maxpoints)
+	{
+		lwerror("point array length (%d) is too large");
+	}
 
 	LWDEBUGF(4,"Pointarray has %d points", npoints);
 

