[postgis-tickets] r17892 - Fix leak in lwcurvepoly_from_wkb_state

Thu Oct 10 03:10:37 PDT 2019

Author: algunenano
Date: 2019-10-10 03:10:37 -0700 (Thu, 10 Oct 2019)
New Revision: 17892

Modified:
   trunk/NEWS
   trunk/liblwgeom/cunit/cu_in_wkb.c
   trunk/liblwgeom/lwcurvepoly.c
   trunk/liblwgeom/lwin_wkb.c
Log:
Fix leak in lwcurvepoly_from_wkb_state

Closes #4534
Closes https://github.com/postgis/postgis/pull/492



Modified: trunk/NEWS
===================================================================

--- trunk/NEWS	2019-10-08 11:48:33 UTC (rev 17891)
+++ trunk/NEWS	2019-10-10 10:10:37 UTC (rev 17892)
@@ -1,3 +1,14 @@
+PostGIS 3.0.0rc2
+2019/10/XX
+
+For full changes and enhancements, refer to PostGIS 3.0.0.
+This version requires PostgreSQL 9.5+-12 and GEOS >= 3.6+
+Additional features enabled if you are running Proj6+ and PostgreSQL 12
+Additional performance enhancements if running GEOS 3.8+
+
+* Major highlights *
+  - #4534, Fix leak in lwcurvepoly_from_wkb_state (Raúl Marín)
+
 PostGIS 3.0.0rc1
 2019/10/08
 
@@ -9,7 +20,7 @@
 * Major highlights *
   - #4519, Fix getSRIDbySRS crash (Raúl Marín)
   - #4520, Use a clean environment when detecting C++ libraries (Raúl Marín)
-  - Restore ST_Union() aggregate signature so drop agg not required and re-work 
+  - Restore ST_Union() aggregate signature so drop agg not required and re-work
     performance/size enhancement to continue to avoid
     using Array type during ST_Union(), hopefully
     avoiding Array size limitations. (Paul Ramsey)

Modified: trunk/liblwgeom/cunit/cu_in_wkb.c
===================================================================
--- trunk/liblwgeom/cunit/cu_in_wkb.c	2019-10-08 11:48:33 UTC (rev 17891)
+++ trunk/liblwgeom/cunit/cu_in_wkb.c	2019-10-10 10:10:37 UTC (rev 17892)
@@ -227,6 +227,15 @@
 	cu_wkb_malformed_in("01060000C00100000001030000C00100000003000000E3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFF");
 }
 
+static void
+test_wkb_leak(void)
+{
+	/* OSS-FUZZ https://trac.osgeo.org/postgis/ticket/4534 */
+	uint8_t wkb[36] = {000, 000, 000, 000, 015, 000, 000, 000, 003, 000, 200, 000, 000, 010, 000, 000, 000, 000,
+			   000, 000, 000, 000, 010, 000, 000, 000, 000, 000, 000, 000, 000, 010, 000, 000, 000, 000};
+	LWGEOM *g = lwgeom_from_wkb(wkb, 36, LW_PARSER_CHECK_NONE);
+	lwgeom_free(g);
+}
 
 /*
 ** Used by test harness to register the tests in this file.
@@ -248,4 +257,5 @@
 	PG_ADD_TEST(suite, test_wkb_in_multicurve);
 	PG_ADD_TEST(suite, test_wkb_in_multisurface);
 	PG_ADD_TEST(suite, test_wkb_in_malformed);
+	PG_ADD_TEST(suite, test_wkb_leak);
 }

Modified: trunk/liblwgeom/lwcurvepoly.c
===================================================================
--- trunk/liblwgeom/lwcurvepoly.c	2019-10-08 11:48:33 UTC (rev 17891)
+++ trunk/liblwgeom/lwcurvepoly.c	2019-10-10 10:10:37 UTC (rev 17892)
@@ -84,6 +84,7 @@
 	{
 		LWDEBUG(4,"mismatched nrings/maxrings");
 		lwerror("Curvepolygon is in inconsistent state. Null memory but non-zero collection counts.");
+		return LW_FAILURE;
 	}
 
 	/* Check that we're adding an allowed ring type */

Modified: trunk/liblwgeom/lwin_wkb.c
===================================================================
--- trunk/liblwgeom/lwin_wkb.c	2019-10-08 11:48:33 UTC (rev 17891)
+++ trunk/liblwgeom/lwin_wkb.c	2019-10-10 10:10:37 UTC (rev 17892)
@@ -618,7 +618,12 @@
 	{
 		geom = lwgeom_from_wkb_state(s);
 		if ( lwcurvepoly_add_ring(cp, geom) == LW_FAILURE )
+		{
+			lwgeom_free(geom);
+			lwgeom_free((LWGEOM *)cp);
 			lwerror("Unable to add geometry (%p) to curvepoly (%p)", geom, cp);
+			return NULL;
+		}
 	}
 
 	return cp;

