From a1b82509e40fcb5c4065a8fe1bf8b078e8a8373f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ra=C3=BAl=20Mar=C3=ADn=20Rodr=C3=ADguez?= Date: Thu, 10 Oct 2019 10:10:37 +0000 Subject: [PATCH] Fix leak in lwcurvepoly_from_wkb_state Closes #4534 Closes https://github.com/postgis/postgis/pull/492 git-svn-id: http://svn.osgeo.org/postgis/trunk@17892 b70326c6-7e19-0410-871a-916f4a2858ee --- NEWS | 13 ++++++++++++- liblwgeom/cunit/cu_in_wkb.c | 10 ++++++++++ liblwgeom/lwcurvepoly.c | 1 + liblwgeom/lwin_wkb.c | 5 +++++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 795218f8a..35345487b 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,14 @@ +PostGIS 3.0.0rc2 +2019/10/XX + +For full changes and enhancements, refer to PostGIS 3.0.0. +This version requires PostgreSQL 9.5+-12 and GEOS >= 3.6+ +Additional features enabled if you are running Proj6+ and PostgreSQL 12 +Additional performance enhancements if running GEOS 3.8+ + +* Major highlights * + - #4534, Fix leak in lwcurvepoly_from_wkb_state (Raúl Marín) + PostGIS 3.0.0rc1 2019/10/08 @@ -9,7 +20,7 @@ Additional performance enhancements if running GEOS 3.8+ * Major highlights * - #4519, Fix getSRIDbySRS crash (Raúl Marín) - #4520, Use a clean environment when detecting C++ libraries (Raúl Marín) - - Restore ST_Union() aggregate signature so drop agg not required and re-work + - Restore ST_Union() aggregate signature so drop agg not required and re-work performance/size enhancement to continue to avoid using Array type during ST_Union(), hopefully avoiding Array size limitations. (Paul Ramsey) diff --git a/liblwgeom/cunit/cu_in_wkb.c b/liblwgeom/cunit/cu_in_wkb.c index bcd5e2891..ff4fb61c0 100644 --- a/liblwgeom/cunit/cu_in_wkb.c +++ b/liblwgeom/cunit/cu_in_wkb.c @@ -227,6 +227,15 @@ static void test_wkb_in_malformed(void) cu_wkb_malformed_in("01060000C00100000001030000C00100000003000000E3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFFE3D9107E234F5041A3DB66BC97A30F4122ACEF440DAF9440FFFFFFFFFFFFEFFF"); } +static void +test_wkb_leak(void) +{ + /* OSS-FUZZ https://trac.osgeo.org/postgis/ticket/4534 */ + uint8_t wkb[36] = {000, 000, 000, 000, 015, 000, 000, 000, 003, 000, 200, 000, 000, 010, 000, 000, 000, 000, + 000, 000, 000, 000, 010, 000, 000, 000, 000, 000, 000, 000, 000, 010, 000, 000, 000, 000}; + LWGEOM *g = lwgeom_from_wkb(wkb, 36, LW_PARSER_CHECK_NONE); + lwgeom_free(g); +} /* ** Used by test harness to register the tests in this file. @@ -248,4 +257,5 @@ void wkb_in_suite_setup(void) PG_ADD_TEST(suite, test_wkb_in_multicurve); PG_ADD_TEST(suite, test_wkb_in_multisurface); PG_ADD_TEST(suite, test_wkb_in_malformed); + PG_ADD_TEST(suite, test_wkb_leak); } diff --git a/liblwgeom/lwcurvepoly.c b/liblwgeom/lwcurvepoly.c index bdabdb461..e8317e60c 100644 --- a/liblwgeom/lwcurvepoly.c +++ b/liblwgeom/lwcurvepoly.c @@ -84,6 +84,7 @@ int lwcurvepoly_add_ring(LWCURVEPOLY *poly, LWGEOM *ring) { LWDEBUG(4,"mismatched nrings/maxrings"); lwerror("Curvepolygon is in inconsistent state. Null memory but non-zero collection counts."); + return LW_FAILURE; } /* Check that we're adding an allowed ring type */ diff --git a/liblwgeom/lwin_wkb.c b/liblwgeom/lwin_wkb.c index 46850ba39..051d82405 100644 --- a/liblwgeom/lwin_wkb.c +++ b/liblwgeom/lwin_wkb.c @@ -618,7 +618,12 @@ static LWCURVEPOLY* lwcurvepoly_from_wkb_state(wkb_parse_state *s) { geom = lwgeom_from_wkb_state(s); if ( lwcurvepoly_add_ring(cp, geom) == LW_FAILURE ) + { + lwgeom_free(geom); + lwgeom_free((LWGEOM *)cp); lwerror("Unable to add geometry (%p) to curvepoly (%p)", geom, cp); + return NULL; + } } return cp;