[postgis-tickets] [SCM] PostGIS branch stable-3.0 updated. 54814344ab353f07e47f9d34f5498ca860ba9ab6
git at osgeo.org
git at osgeo.org
Mon Jan 20 02:35:38 PST 2020
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".
The branch, stable-3.0 has been updated
via 54814344ab353f07e47f9d34f5498ca860ba9ab6 (commit)
from b73f67376145d96c9f5bb2c31bc407dd6e311746 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 54814344ab353f07e47f9d34f5498ca860ba9ab6
Author: Raúl Marín <git at rmr.ninja>
Date: Fri Jan 17 17:22:42 2020 +0100
Prevent stack overflow when parsing WKB
References #4621
diff --git a/NEWS b/NEWS
index 2bab8e8..cdf854e 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ XXXX/XX/XX
- #4596, The script to generate nation_script_load.sh is missing
a trailing quote (Bill Mill)
- #4608, PG12: Fix several bugs in the index support function (Raúl Marín)
+ - #4621, Prevent stack overflow when parsing WKB (Raúl Marín)
PostGIS 3.0.0
2019/10/20
diff --git a/liblwgeom/cunit/cu_in_wkb.c b/liblwgeom/cunit/cu_in_wkb.c
index d928c6f..825a6f5 100644
--- a/liblwgeom/cunit/cu_in_wkb.c
+++ b/liblwgeom/cunit/cu_in_wkb.c
@@ -261,6 +261,14 @@ test_wkb_fuzz(void)
uint8_t wkb3[9] = {0x01, 0x03, 0x00, 0x00, 0x10, 0x8d, 0x55, 0xf3, 0xff};
g = lwgeom_from_wkb(wkb3, 9, LW_PARSER_CHECK_NONE);
lwgeom_free(g);
+
+ /* OSS-FUZZ: https://trac.osgeo.org/postgis/ticket/4621 */
+ uint32_t big_size = 20000000;
+ uint8_t *wkb5 = lwalloc(big_size);
+ memset(wkb5, 0x01, big_size);
+ g = lwgeom_from_wkb(wkb5, big_size, LW_PARSER_CHECK_NONE);
+ lwgeom_free(g);
+ lwfree(wkb5);
}
/*
diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c
index 074b424..1013ab8 100644
--- a/liblwgeom/lwin_wkb.c
+++ b/liblwgeom/lwin_wkb.c
@@ -30,6 +30,9 @@
#include <math.h>
#include <limits.h>
+/** Max depth in a geometry. Matches the default YYINITDEPTH for WKT */
+#define LW_PARSER_MAX_DEPTH 200
+
/**
* Used for passing the parse state between the parsing functions.
*/
@@ -45,6 +48,7 @@ typedef struct
int8_t has_m; /* M? */
int8_t has_srid; /* SRID? */
int8_t error; /* An error was found (not enough bytes to read) */
+ uint8_t depth; /* Current recursion level (to prevent stack overflows). Maxes at LW_PARSER_MAX_DEPTH */
const uint8_t *pos; /* Current parse position */
} wkb_parse_state;
@@ -688,6 +692,13 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
if ( s->lwtype == POLYHEDRALSURFACETYPE )
s->check |= LW_PARSER_CHECK_ZCLOSURE;
+ s->depth++;
+ if (s->depth >= LW_PARSER_MAX_DEPTH)
+ {
+ lwcollection_free(col);
+ lwerror("Geometry has too many chained collections");
+ return NULL;
+ }
for ( i = 0; i < ngeoms; i++ )
{
geom = lwgeom_from_wkb_state(s);
@@ -699,6 +710,7 @@ static LWCOLLECTION* lwcollection_from_wkb_state(wkb_parse_state *s)
return NULL;
}
}
+ s->depth--;
return col;
}
@@ -826,6 +838,7 @@ LWGEOM* lwgeom_from_wkb(const uint8_t *wkb, const size_t wkb_size, const char ch
s.has_srid = LW_FALSE;
s.error = LW_FALSE;
s.pos = wkb;
+ s.depth = 1;
if (!wkb || !wkb_size)
return NULL;
-----------------------------------------------------------------------
Summary of changes:
NEWS | 1 +
liblwgeom/cunit/cu_in_wkb.c | 8 ++++++++
liblwgeom/lwin_wkb.c | 13 +++++++++++++
3 files changed, 22 insertions(+)
hooks/post-receive
--
PostGIS
More information about the postgis-tickets
mailing list