From 1c60f4cc408e85aff78482659a80fe974ee5d57b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 2 Feb 2019 09:44:44 +0100
Subject: PROJStringSyntaxParser: avoid assertion on illegal input. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12837. Credit to OSS
 Fuzz

---
 src/iso19111/io.cpp   | 17 +++++++++--------
 test/unit/test_io.cpp |  4 ++++
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/iso19111/io.cpp b/src/iso19111/io.cpp
index 3517c225..f854e21a 100644
--- a/src/iso19111/io.cpp
+++ b/src/iso19111/io.cpp
@@ -5285,6 +5285,8 @@ PROJStringSyntaxParser(const std::string &projString, std::vector<Step> &steps,
     const char *c_str = projString.c_str();
     std::vector<std::string> tokens;
 
+    bool hasProj = false;
+    bool hasInit = false;
     {
         size_t i = 0;
         while (true) {
@@ -5313,6 +5315,13 @@ PROJStringSyntaxParser(const std::string &projString, std::vector<Step> &steps,
             if (token.empty()) {
                 break;
             }
+            if (!hasProj &&
+                (starts_with(token, "proj=") || starts_with(token, "+proj="))) {
+                hasProj = true;
+            } else if (!hasInit && (starts_with(token, "init=") ||
+                                    starts_with(token, "+init="))) {
+                hasInit = true;
+            }
             tokens.emplace_back(token);
         }
     }
@@ -5320,14 +5329,6 @@ PROJStringSyntaxParser(const std::string &projString, std::vector<Step> &steps,
     bool prevWasTitle = false;
 
     if (projString.find("proj=pipeline") == std::string::npos) {
-        const bool hasProj = projString.find("proj=") == 0 ||
-                             projString.find("+proj=") == 0 ||
-                             projString.find(" proj=") != std::string::npos ||
-                             projString.find(" +proj=") != std::string::npos;
-        const bool hasInit = projString.find("init=") == 0 ||
-                             projString.find("+init=") == 0 ||
-                             projString.find(" init=") != std::string::npos ||
-                             projString.find(" +init=") != std::string::npos;
         if (hasProj || hasInit) {
             steps.push_back(Step());
         }
diff --git a/test/unit/test_io.cpp b/test/unit/test_io.cpp
index 1bbedc03..157614b4 100644
--- a/test/unit/test_io.cpp
+++ b/test/unit/test_io.cpp
@@ -8735,6 +8735,10 @@ TEST(io, projparse_errors) {
     EXPECT_THROW(PROJStringParser().createFromPROJString(
                      "proj=pipeline step init=epsg:4326 init=epsg:4326"),
                  ParsingException);
+
+    EXPECT_THROW(
+        PROJStringParser().createFromPROJString("proj=\tinit= +type=crs"),
+        ParsingException);
 }
 
 // ---------------------------------------------------------------------------
-- 
cgit v1.2.3