horner: Fail if the order is unreasonably large.

Overflow in horner_alloc with "2*(int)order" Found with autofuzz with UndefinedBehaviorSanitizer: signed-integer-overflow
author: Kurt Schwehr <schwehr@google.com> 2018-03-23 05:28:09 -0700
committer: Kurt Schwehr <schwehr@google.com> 2018-03-23 05:28:09 -0700
commit: 20392cf7e95d090d6c8b4e43e116588bc90bb6e1 (patch)
tree: 4a673e507de3dcd818717aa4bdb4ea31464764b5
parent: be3587d8de04ab35baf04c86d67bdb0b9e269be8 (diff)
download: PROJ-20392cf7e95d090d6c8b4e43e116588bc90bb6e1.tar.gz
PROJ-20392cf7e95d090d6c8b4e43e116588bc90bb6e1.zip
1 files changed, 8 insertions, 3 deletions
diff --git a/src/PJ_horner.c b/src/PJ_horner.c
index 76ccf336..24e1cbe9 100644
--- a/src/PJ_horner.c
+++ b/src/PJ_horner.c
@@ -448,9 +448,14 @@ PJ *PROJECTION(horner) {
     P->destructor = horner_freeup;
 
     /* Polynomial degree specified? */
-    if (pj_param (P->ctx, P->params, "tdeg").i) /* degree specified? */
-		degree = pj_param(P->ctx, P->params, "ideg").i;
-    else {
+    if (pj_param (P->ctx, P->params, "tdeg").i) { /* degree specified? */
+        degree = pj_param(P->ctx, P->params, "ideg").i;
+        if (degree > 10000) {
+            /* What is a reasonable maximum for the degree? */
+            proj_log_debug (P, "Horner: Degree too large: %d", degree);
+            return horner_freeup (P, PJD_ERR_INVALID_ARG);
+        }
+    } else {
         proj_log_debug (P, "Horner: Must specify polynomial degree, (+deg=n)");
         return horner_freeup (P, PJD_ERR_MISSING_ARGS);
     }
author	Kurt Schwehr <schwehr@google.com>	2018-03-23 05:28:09 -0700
committer	Kurt Schwehr <schwehr@google.com>	2018-03-23 05:28:09 -0700
commit	20392cf7e95d090d6c8b4e43e116588bc90bb6e1 (patch)
tree	4a673e507de3dcd818717aa4bdb4ea31464764b5
parent	be3587d8de04ab35baf04c86d67bdb0b9e269be8 (diff)
download	PROJ-20392cf7e95d090d6c8b4e43e116588bc90bb6e1.tar.gz PROJ-20392cf7e95d090d6c8b4e43e116588bc90bb6e1.zip