diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2020-04-26 16:47:00 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2020-04-26 16:47:00 +0200 |
| commit | 39cd68f661ac86484b341c93f949c29592694e89 (patch) | |
| tree | 9a01cfdb52f6dbb43b24d62826470c8e5b57c8e8 /src | |
| parent | d6b3a5243689e4531a0af2b2ab284b438120ef0b (diff) | |
| download | PROJ-39cd68f661ac86484b341c93f949c29592694e89.tar.gz PROJ-39cd68f661ac86484b341c93f949c29592694e89.zip | |
pipeline initialization: avoid deep recursion on corrupted PROJ string like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21889
Diffstat (limited to 'src')
| -rw-r--r-- | src/pipeline.cpp | 12 | ||||
| -rw-r--r-- | src/proj_internal.h | 1 |
2 files changed, 13 insertions, 0 deletions
diff --git a/src/pipeline.cpp b/src/pipeline.cpp index 511a69fe..80ee0397 100644 --- a/src/pipeline.cpp +++ b/src/pipeline.cpp @@ -424,6 +424,16 @@ PJ *OPERATION(pipeline,0) { int i_pipeline = -1, i_first_step = -1, i_current_step; char **argv, **current_argv; + if( P->ctx->pipelineInitRecursiongCounter == 5 ) + { + // Can happen for a string like: + // proj=pipeline step "x="""," u=" proj=pipeline step ste=""[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline p step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ste="[" u=" proj=pipeline step ""x=""""""""""" + // Probably an issue with the quoting handling code + // But doesn't hurt to add an extra safety check + proj_log_error (P, "Pipeline: too deep recursion"); + return destructor (P, PJD_ERR_MALFORMED_PIPELINE); /* ERROR: nested pipelines */ + } + P->fwd4d = pipeline_forward_4d; P->inv4d = pipeline_reverse_4d; P->fwd3d = pipeline_forward_3d; @@ -513,7 +523,9 @@ PJ *OPERATION(pipeline,0) { err = proj_errno_reset (P); + P->ctx->pipelineInitRecursiongCounter ++; next_step = pj_create_argv_internal (P->ctx, current_argc, current_argv); + P->ctx->pipelineInitRecursiongCounter --; proj_log_trace (P, "Pipeline: Step %d (%s) at %p", i, current_argv[0], next_step); if (nullptr==next_step) { diff --git a/src/proj_internal.h b/src/proj_internal.h index c600a75e..618133bb 100644 --- a/src/proj_internal.h +++ b/src/proj_internal.h @@ -747,6 +747,7 @@ struct projCtx_t { projGridChunkCache gridChunkCache{}; int projStringParserCreateFromPROJStringRecursionCounter = 0; // to avoid potential infinite recursion in PROJStringParser::createFromPROJString() + int pipelineInitRecursiongCounter = 0; // to avoid potential infinite recursion in pipeline.cpp TMercAlgo defaultTmercAlgo = TMercAlgo::PODER_ENGSAGER; // can be overridden by content of proj.ini |