From 3f6c53ccee6062df95c595a0ea5b8cbed7e7f199 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Thu, 18 Apr 2019 22:19:59 +0200 Subject: tpers: avoid division by zero Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14342 Credit to OSS Fuzz --- src/projections/nsper.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'src/projections/nsper.cpp') diff --git a/src/projections/nsper.cpp b/src/projections/nsper.cpp index a0bb5686..37938924 100644 --- a/src/projections/nsper.cpp +++ b/src/projections/nsper.cpp @@ -96,7 +96,7 @@ static PJ_XY s_forward (PJ_LP lp, PJ *P) { /* Spheroidal, forward */ static PJ_LP s_inverse (PJ_XY xy, PJ *P) { /* Spheroidal, inverse */ PJ_LP lp = {0.0,0.0}; struct pj_opaque *Q = static_cast(P->opaque); - double rh, cosz, sinz; + double rh; if (Q->tilt) { double bm, bq, yt; @@ -108,16 +108,18 @@ static PJ_LP s_inverse (PJ_XY xy, PJ *P) { /* Spheroidal, inverse */ xy.y = bq * Q->cg - bm * Q->sg; } rh = hypot(xy.x, xy.y); - if ((sinz = 1. - rh * rh * Q->pfact) < 0.) { - proj_errno_set(P, PJD_ERR_TOLERANCE_CONDITION); - return lp; - } - sinz = (Q->p - sqrt(sinz)) / (Q->pn1 / rh + rh / Q->pn1); - cosz = sqrt(1. - sinz * sinz); if (fabs(rh) <= EPS10) { lp.lam = 0.; lp.phi = P->phi0; } else { + double cosz, sinz; + sinz = 1. - rh * rh * Q->pfact; + if (sinz < 0.) { + proj_errno_set(P, PJD_ERR_TOLERANCE_CONDITION); + return lp; + } + sinz = (Q->p - sqrt(sinz)) / (Q->pn1 / rh + rh / Q->pn1); + cosz = sqrt(1. - sinz * sinz); switch (Q->mode) { case OBLIQ: lp.phi = asin(cosz * Q->sinph0 + xy.y * sinz * Q->cosph0 / rh); -- cgit v1.2.3 From 00980bf63fae6d350f425c44a648f33d7c09a931 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 26 Apr 2019 18:18:30 +0200 Subject: Prefix inverse and forward functions by their projection names This is mostly to have better OSSFuzz report. Currently a lot of bug summaries are like `proj4/standard_fuzzer: Divide-by-zero in s_inverse` By prefixing the projection name, we will get better reports, like `Divide-by-zero in airy_s_inverse` This also makes it slightly easier to set a breakpoint by function name. --- src/projections/nsper.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/projections/nsper.cpp') diff --git a/src/projections/nsper.cpp b/src/projections/nsper.cpp index 37938924..fbf5317b 100644 --- a/src/projections/nsper.cpp +++ b/src/projections/nsper.cpp @@ -38,7 +38,7 @@ PROJ_HEAD(tpers, "Tilted perspective") "\n\tAzi, Sph\n\ttilt= azi= h="; # define EPS10 1.e-10 -static PJ_XY s_forward (PJ_LP lp, PJ *P) { /* Spheroidal, forward */ +static PJ_XY nsper_s_forward (PJ_LP lp, PJ *P) { /* Spheroidal, forward */ PJ_XY xy = {0.0,0.0}; struct pj_opaque *Q = static_cast(P->opaque); double coslam, cosphi, sinphi; @@ -93,7 +93,7 @@ static PJ_XY s_forward (PJ_LP lp, PJ *P) { /* Spheroidal, forward */ } -static PJ_LP s_inverse (PJ_XY xy, PJ *P) { /* Spheroidal, inverse */ +static PJ_LP nsper_s_inverse (PJ_XY xy, PJ *P) { /* Spheroidal, inverse */ PJ_LP lp = {0.0,0.0}; struct pj_opaque *Q = static_cast(P->opaque); double rh; @@ -165,8 +165,8 @@ static PJ *setup(PJ *P) { Q->rp = 1. / Q->p; Q->h = 1. / Q->pn1; Q->pfact = (Q->p + 1.) * Q->h; - P->inv = s_inverse; - P->fwd = s_forward; + P->inv = nsper_s_inverse; + P->fwd = nsper_s_forward; P->es = 0.; return P; -- cgit v1.2.3 From 96af6dbf69dd38421916438702be80f73276d879 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 5 May 2019 20:28:59 +0200 Subject: geos: avoid division by zero Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14602 Credit to OSS Fuzz --- src/projections/nsper.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/projections/nsper.cpp') diff --git a/src/projections/nsper.cpp b/src/projections/nsper.cpp index fbf5317b..d641e1b6 100644 --- a/src/projections/nsper.cpp +++ b/src/projections/nsper.cpp @@ -148,8 +148,7 @@ static PJ_LP nsper_s_inverse (PJ_XY xy, PJ *P) { /* Spheroidal, invers static PJ *setup(PJ *P) { struct pj_opaque *Q = static_cast(P->opaque); - if ((Q->height = pj_param(P->ctx, P->params, "dh").f) <= 0.) - return pj_default_destructor(P, PJD_ERR_H_LESS_THAN_ZERO); + Q->height = pj_param(P->ctx, P->params, "dh").f; if (fabs(fabs(P->phi0) - M_HALFPI) < EPS10) Q->mode = P->phi0 < 0. ? S_POLE : N_POLE; @@ -161,6 +160,8 @@ static PJ *setup(PJ *P) { Q->cosph0 = cos(P->phi0); } Q->pn1 = Q->height / P->a; /* normalize by radius */ + if ( Q->pn1 <= 0 || Q->pn1 > 1e10 ) + return pj_default_destructor (P, PJD_ERR_INVALID_H); Q->p = 1. + Q->pn1; Q->rp = 1. / Q->p; Q->h = 1. / Q->pn1; -- cgit v1.2.3