[postgis-tickets] r15959 - Throw error on malformed WKB input (2.3 branch)
Paul Ramsey
pramsey at cleverelephant.ca
Tue Oct 10 15:45:33 PDT 2017
Author: pramsey
Date: 2017-10-10 15:45:32 -0700 (Tue, 10 Oct 2017)
New Revision: 15959
Modified:
branches/2.3/NEWS
branches/2.3/liblwgeom/lwin_wkb.c
Log:
Throw error on malformed WKB input (2.3 branch)
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592
(References #3895)
Modified: branches/2.3/NEWS
===================================================================
--- branches/2.3/NEWS 2017-10-10 22:44:55 UTC (rev 15958)
+++ branches/2.3/NEWS 2017-10-10 22:45:32 UTC (rev 15959)
@@ -32,6 +32,7 @@
- #3874, lw_dist2d_pt_arc division by zero
- #3882, undefined behaviour in zigzag with negative inputs
- #3891, undefined behaviour in pointarray_to_encoded_polyline
+ - #3895, throw error on malformed WKB input
PostGIS 2.3.3
Modified: branches/2.3/liblwgeom/lwin_wkb.c
===================================================================
--- branches/2.3/liblwgeom/lwin_wkb.c 2017-10-10 22:44:55 UTC (rev 15958)
+++ branches/2.3/liblwgeom/lwin_wkb.c 2017-10-10 22:45:32 UTC (rev 15959)
@@ -332,9 +332,14 @@
size_t pa_size;
uint32_t ndims = 2;
uint32_t npoints = 0;
+ static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4;
/* Calculate the size of this point array. */
npoints = integer_from_wkb_state(s);
+ if (npoints > maxpoints)
+ {
+ lwerror("point array length (%d) is too large");
+ }
LWDEBUGF(4,"Pointarray has %d points", npoints);
More information about the postgis-tickets
mailing list