[postgis-tickets] r15961 - Throw error on malformed WKB input

[Paul Ramsey]

Author: pramsey
Date: 2017-10-10 15:46:08 -0700 (Tue, 10 Oct 2017)
New Revision: 15961

Modified:
   trunk/liblwgeom/cunit/cu_in_wkb.c
   trunk/liblwgeom/lwin_wkb.c
Log:
Throw error on malformed WKB input
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2589
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2590
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2591
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2592
(Closes #3895)



Modified: trunk/liblwgeom/cunit/cu_in_wkb.c
===================================================================
--- trunk/liblwgeom/cunit/cu_in_wkb.c	2017-10-10 22:45:47 UTC (rev 15960)
+++ trunk/liblwgeom/cunit/cu_in_wkb.c	2017-10-10 22:46:08 UTC (rev 15961)
@@ -213,6 +213,10 @@
 
 static void test_wkb_in_malformed(void)
 {
+
+	/* OSSFUXX */
+	cu_wkb_malformed_in("0000000008200000002020202020202020");
+
 	/* See http://trac.osgeo.org/postgis/ticket/1445 */
 	cu_wkb_malformed_in("01060000400200000001040000400100000001010000400000000000000000000000000000000000000000000000000101000040000000000000F03F000000000000F03F000000000000F03F");
 	cu_wkb_malformed_in("01050000400200000001040000400100000001010000400000000000000000000000000000000000000000000000000101000040000000000000F03F000000000000F03F000000000000F03F");

Modified: trunk/liblwgeom/lwin_wkb.c
===================================================================
--- trunk/liblwgeom/lwin_wkb.c	2017-10-10 22:45:47 UTC (rev 15960)
+++ trunk/liblwgeom/lwin_wkb.c	2017-10-10 22:46:08 UTC (rev 15961)
@@ -332,9 +332,14 @@
 	size_t pa_size;
 	uint32_t ndims = 2;
 	uint32_t npoints = 0;
+	static uint32_t maxpoints = 4294967295 / WKB_DOUBLE_SIZE / 4;
 
 	/* Calculate the size of this point array. */
 	npoints = integer_from_wkb_state(s);
+	if (npoints > maxpoints)
+	{
+		lwerror("point array length (%d) is too large");
+	}
 
 	LWDEBUGF(4,"Pointarray has %d points", npoints);