[postgis-tickets] r17849 - getSRIDbySRS: Fix crash

Wed Oct 2 07:25:20 PDT 2019

Author: algunenano
Date: 2019-10-02 07:25:20 -0700 (Wed, 02 Oct 2019)
New Revision: 17849

Modified:
   branches/2.3/NEWS
   branches/2.3/postgis/lwgeom_export.c
Log:
getSRIDbySRS: Fix crash

- Prevents stack overflow when the srs is long (query + srs > 256 chars).
- Prevents sql injection.

Closes #4519



Modified: branches/2.3/NEWS
===================================================================

--- branches/2.3/NEWS	2019-10-02 14:24:45 UTC (rev 17848)
+++ branches/2.3/NEWS	2019-10-02 14:25:20 UTC (rev 17849)
@@ -9,6 +9,7 @@
   - #4493, Fix ST_RemoveRepeatedPoints output having an outdated bbox (Raúl Marín)
   - #4495, Fix ST_SnapToGrid output having an outdated bbox (Raúl Marín)
   - #4498, Restrict build for PgSQL > 9.6
+  - #4519, Fix getSRIDbySRS crash (Raúl Marín)
 
 PostGIS 2.3.10
 2019/08/11

Modified: branches/2.3/postgis/lwgeom_export.c
===================================================================
--- branches/2.3/postgis/lwgeom_export.c	2019-10-02 14:24:45 UTC (rev 17848)
+++ branches/2.3/postgis/lwgeom_export.c	2019-10-02 14:25:20 UTC (rev 17849)
@@ -29,7 +29,9 @@
  */
 
 #include "float.h" /* for DBL_DIG */
+
 #include "postgres.h"
+#include "catalog/pg_type.h" /* for CSTRINGOID */
 #include "executor/spi.h"
 
 #include "../postgis_config.h"
@@ -116,26 +118,26 @@
 */
 int getSRIDbySRS(const char* srs)
 {
-	char query[256];
-	int srid, err;
+	char *query =
+	    "SELECT srid "
+	    "FROM spatial_ref_sys, "
+	    "regexp_matches($1::text, E'([a-z]+):([0-9]+)', 'gi') AS re "
+	    "WHERE re[1] ILIKE auth_name AND int4(re[2]) = auth_srid";
+	Oid argtypes[] = {CSTRINGOID};
+	Datum values[] = {CStringGetDatum(srs)};
+	int32_t srid, err;
 
 	if (srs == NULL)
 		return 0;
 
-	if (SPI_OK_CONNECT != SPI_connect ())
+	if (SPI_OK_CONNECT != SPI_connect())
 	{
 		elog(NOTICE, "getSRIDbySRS: could not connect to SPI manager");
-		SPI_finish();
 		return 0;
 	}
-	sprintf(query,
-		"SELECT srid "
-		"FROM spatial_ref_sys, "
-		"regexp_matches('%s', E'([a-z]+):([0-9]+)', 'gi') AS re "
-		"WHERE re[1] ILIKE auth_name AND int4(re[2]) = auth_srid", srs);
 
-	err = SPI_exec(query, 1);
-	if ( err < 0 )
+	err = SPI_execute_with_args(query, 1, argtypes, values, NULL, true, 1);
+	if (err < 0)
 	{
 		elog(NOTICE, "getSRIDbySRS: error executing query %d", err);
 		SPI_finish();
@@ -145,14 +147,14 @@
 	/* no entry in spatial_ref_sys */
 	if (SPI_processed <= 0)
 	{
-		sprintf(query,
-			"SELECT srid "
-			"FROM spatial_ref_sys, "
-			"regexp_matches('%s', E'urn:ogc:def:crs:([a-z]+):.*:([0-9]+)', 'gi') AS re "
-			"WHERE re[1] ILIKE auth_name AND int4(re[2]) = auth_srid", srs);
+		query =
+		    "SELECT srid "
+		    "FROM spatial_ref_sys, "
+		    "regexp_matches($1::text, E'urn:ogc:def:crs:([a-z]+):.*:([0-9]+)', 'gi') AS re "
+		    "WHERE re[1] ILIKE auth_name AND int4(re[2]) = auth_srid";
 
-		err = SPI_exec(query, 1);
-		if ( err < 0 )
+		err = SPI_execute_with_args(query, 1, argtypes, values, NULL, true, 1);
+		if (err < 0)
 		{
 			elog(NOTICE, "getSRIDbySRS: error executing query %d", err);
 			SPI_finish();
@@ -159,7 +161,8 @@
 			return 0;
 		}
 
-		if (SPI_processed <= 0) {
+		if (SPI_processed <= 0)
+		{
 			SPI_finish();
 			return 0;
 		}

