[postgis-tickets] [PostGIS] #3980: [SFCGAL] Potential access to freed memory

[PostGIS]

#3980: [SFCGAL] Potential access to freed memory
---------------------+---------------------------
 Reporter:  lucasvr  |      Owner:  colivier
     Type:  defect   |     Status:  new
 Priority:  medium   |  Milestone:  PostGIS 2.4.3
Component:  sfcgal   |    Version:  2.4.x
 Keywords:           |
---------------------+---------------------------
 lwgeom_from_gserialized(input) returns a pointer to an allocated LWGEOM
 structure:

     lwgeom_from_gserialized(input) {
         ...
         lwgeom = lwgeom_from_gserialized_buffer(input->data, ...);
         ...
         return lwgeom;
     }

 Depending on the input data type (e.g., point, line, circular string,
 polygon), a different member of the returned LWGEOM structure will hold a
 reference to the original input, such as lwgeom->point, lwgeom->points,
 and lwgeom->rings.

 This means that it is not safe to invoke PG_FREE_IF_COPY(input) right
 after getting a reference to the LWGEOM structure. One can only free it
 after the object is serialized back or once the returned LWGEOM structure
 is not needed anymore.

 There are several spots on postgis/lwgeo_sfcgal.c where early calls to
 PG_FREE_IF_COPY() may be corrupting memory accessed by SFCGAL, as in
 sfcgal_make_solid() and sfcgal_geometry_extrude(). It would be good if
 somebody could review that code just to double check if this is indeed the
 case.

--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/3980>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.