[postgis-tickets] [PostGIS] #4191: Undefined behaviour in ptarray_clone_deep

PostGIS trac at osgeo.org
Fri Sep 28 12:30:27 PDT 2018 

#4191: Undefined behaviour in ptarray_clone_deep
------------------------+---------------------------
 Reporter:  Algunenano  |      Owner:  Algunenano
     Type:  defect      |     Status:  assigned
 Priority:  medium      |  Milestone:  PostGIS 2.2.8
Component:  postgis     |    Version:  2.2.x
 Keywords:              |
------------------------+---------------------------
 Detected running regress `tickets` under gcc -fsanitize=undefined
 -fsanitize-undefined-trap-on-error`.

 There is a zero length allocation that can lead to
 `out->serialized_pointlist` being NULL
 (https://wiki.sei.cmu.edu/confluence/display/c/MEM04-C.+Beware+of+zero-
 length+allocations) which is not valid as input for memcpy:
 ``` If an argument to a function has an invalid value (such as a value
 outside the domain of the function, or a pointer outside the address space
 of the program, or a null pointer, or a pointer to non-modifiable storage
 when the corresponding parameter is not const-qualified) or a type (after
 promotion) not expected by a function with variable number of arguments,
 the behavior is undefined.
 ```

 {{{
 Core was generated by `postgres: raul postgis_reg [local] SELECT  '.
 Program terminated with signal SIGILL, Illegal instruction.
 #0  0x00007f1aebe19e41 in ptarray_clone_deep (in=0x55c488ddf5f0) at
 ptarray.c:637
 637             memcpy(out->serialized_pointlist,
 in->serialized_pointlist, size);
 (gdb) p size
 $1 = 0
 (gdb) p *in
 $3 = {serialized_pointlist = 0x0, flags = 0 '\000', npoints = 0, maxpoints
 = 0}
 (gdb) bt
 #0  0x00007f1aebe19e41 in ptarray_clone_deep (in=0x55c488ddf5f0) at
 ptarray.c:637
 #1  0x00007f1aebe2b0a2 in lwline_clone_deep (g=0x55c488ddf5c0) at
 lwline.c:126
 #2  0x00007f1aebe22329 in lwgeom_clone_deep (lwgeom=0x55c488ddf5c0) at
 lwgeom.c:522
 #3  0x00007f1aebe34436 in lwcollection_clone_deep (g=0x55c488ddf570) at
 lwcollection.c:159
 #4  0x00007f1aebe22347 in lwgeom_clone_deep (lwgeom=0x55c488ddf570) at
 lwgeom.c:535
 #5  0x00007f1aebeb3b5a in lwgeom_linemerge (geom=0x55c488ddf570) at
 lwgeom_geos.c:642
 #6  0x00007f1aebccd73c in linemerge (fcinfo=0x55c488dbdfd0) at
 lwgeom_geos.c:3041
 #7  0x000055c487667870 in ExecInterpExpr (state=0x55c488dbd688,
 econtext=0x55c488dbcea0, isnull=0x7fffc06a8ddf) at execExprInterp.c:678
 }}}

-- 
Ticket URL: <https://trac.osgeo.org/postgis/ticket/4191>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.

More information about the postgis-tickets mailing list