[postgis-tickets] r17896 - Fix leak in lwcurvepoly_from_wkb_state

Raul raul at rmr.ninja
Thu Oct 10 04:39:48 PDT 2019 

Author: algunenano
Date: 2019-10-10 04:39:48 -0700 (Thu, 10 Oct 2019)
New Revision: 17896

Modified:
   branches/2.3/NEWS
   branches/2.3/liblwgeom/cunit/cu_in_wkb.c
   branches/2.3/liblwgeom/lwcurvepoly.c
   branches/2.3/liblwgeom/lwin_wkb.c
Log:
Fix leak in lwcurvepoly_from_wkb_state

References #4534



Modified: branches/2.3/NEWS
===================================================================
--- branches/2.3/NEWS	2019-10-10 11:39:01 UTC (rev 17895)
+++ branches/2.3/NEWS	2019-10-10 11:39:48 UTC (rev 17896)
@@ -10,6 +10,7 @@
   - #4495, Fix ST_SnapToGrid output having an outdated bbox (Raúl Marín)
   - #4498, Restrict build for PgSQL > 9.6
   - #4519, Fix getSRIDbySRS crash (Raúl Marín)
+  - #4534, Fix leak in lwcurvepoly_from_wkb_state (Raúl Marín)
 
 PostGIS 2.3.10
 2019/08/11

Modified: branches/2.3/liblwgeom/cunit/cu_in_wkb.c
===================================================================
--- branches/2.3/liblwgeom/cunit/cu_in_wkb.c	2019-10-10 11:39:01 UTC (rev 17895)
+++ branches/2.3/liblwgeom/cunit/cu_in_wkb.c	2019-10-10 11:39:48 UTC (rev 17896)
@@ -223,6 +223,15 @@
 	cu_wkb_malformed_in("01060000C00100000001030000C00100000003000000E3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFF");
 }
 
+static void
+test_wkb_leak(void)
+{
+	/* OSS-FUZZ https://trac.osgeo.org/postgis/ticket/4534 */
+	uint8_t wkb[36] = {000, 000, 000, 000, 015, 000, 000, 000, 003, 000, 200, 000, 000, 010, 000, 000, 000, 000,
+			   000, 000, 000, 000, 010, 000, 000, 000, 000, 000, 000, 000, 000, 010, 000, 000, 000, 000};
+	LWGEOM *g = lwgeom_from_wkb(wkb, 36, LW_PARSER_CHECK_NONE);
+	lwgeom_free(g);
+}
 
 /*
 ** Used by test harness to register the tests in this file.
@@ -244,4 +253,5 @@
 	PG_ADD_TEST(suite, test_wkb_in_multicurve);
 	PG_ADD_TEST(suite, test_wkb_in_multisurface);
 	PG_ADD_TEST(suite, test_wkb_in_malformed);
+	PG_ADD_TEST(suite, test_wkb_leak);
 }

Modified: branches/2.3/liblwgeom/lwcurvepoly.c
===================================================================
--- branches/2.3/liblwgeom/lwcurvepoly.c	2019-10-10 11:39:01 UTC (rev 17895)
+++ branches/2.3/liblwgeom/lwcurvepoly.c	2019-10-10 11:39:48 UTC (rev 17896)
@@ -85,6 +85,7 @@
 	{
 		LWDEBUG(4,"mismatched nrings/maxrings");
 		lwerror("Curvepolygon is in inconsistent state. Null memory but non-zero collection counts.");
+		return LW_FAILURE;
 	}
 
 	/* Check that we're adding an allowed ring type */

Modified: branches/2.3/liblwgeom/lwin_wkb.c
===================================================================
--- branches/2.3/liblwgeom/lwin_wkb.c	2019-10-10 11:39:01 UTC (rev 17895)
+++ branches/2.3/liblwgeom/lwin_wkb.c	2019-10-10 11:39:48 UTC (rev 17896)
@@ -613,7 +613,12 @@
 	{
 		geom = lwgeom_from_wkb_state(s);
 		if ( lwcurvepoly_add_ring(cp, geom) == LW_FAILURE )
+		{
+			lwgeom_free(geom);
+			lwgeom_free((LWGEOM *)cp);
 			lwerror("Unable to add geometry (%p) to curvepoly (%p)", geom, cp);
+			return NULL;
+		}
 	}
 	
 	return cp;

More information about the postgis-tickets mailing list