From 08355f826c2d8bc880ae171e239e20e980c9560e Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 31 May 2017 13:42:15 +0200
Subject: pj_apply_vgridshift(): avoid integer overflow / read
 heap-buffer-overflow. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1950. Credit to OSS
 Fuzz

---
 src/pj_apply_vgridshift.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/pj_apply_vgridshift.c b/src/pj_apply_vgridshift.c
index 5b81a26d..35047a19 100644
--- a/src/pj_apply_vgridshift.c
+++ b/src/pj_apply_vgridshift.c
@@ -77,14 +77,18 @@ int pj_apply_vgridshift( PJ *defn, const char *listname,
     {
         long io = i * point_offset;
         LP   input;
-        int  itable;
+        int  itable = 0;
         double value = HUGE_VAL;
 
         input.phi = y[io];
         input.lam = x[io];
 
+        /* do not deal with NaN coordinates */
+        if( input.phi != input.phi || input.lam != input.lam )
+            itable = *gridlist_count_p;
+
         /* keep trying till we find a table that works */
-        for( itable = 0; itable < *gridlist_count_p; itable++ )
+        for( ; itable < *gridlist_count_p; itable++ )
         {
             PJ_GRIDINFO *gi = tables[itable];
             struct CTABLE *ct = gi->ct;
-- 
cgit v1.2.3