From 20392cf7e95d090d6c8b4e43e116588bc90bb6e1 Mon Sep 17 00:00:00 2001
From: Kurt Schwehr <schwehr@google.com>
Date: Fri, 23 Mar 2018 05:28:09 -0700
Subject: horner: Fail if the order is unreasonably large.

Overflow in horner_alloc with "2*(int)order"

Found with autofuzz with UndefinedBehaviorSanitizer: signed-integer-overflow
---
 src/PJ_horner.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/PJ_horner.c b/src/PJ_horner.c
index 76ccf336..24e1cbe9 100644
--- a/src/PJ_horner.c
+++ b/src/PJ_horner.c
@@ -448,9 +448,14 @@ PJ *PROJECTION(horner) {
     P->destructor = horner_freeup;
 
     /* Polynomial degree specified? */
-    if (pj_param (P->ctx, P->params, "tdeg").i) /* degree specified? */
-		degree = pj_param(P->ctx, P->params, "ideg").i;
-    else {
+    if (pj_param (P->ctx, P->params, "tdeg").i) { /* degree specified? */
+        degree = pj_param(P->ctx, P->params, "ideg").i;
+        if (degree > 10000) {
+            /* What is a reasonable maximum for the degree? */
+            proj_log_debug (P, "Horner: Degree too large: %d", degree);
+            return horner_freeup (P, PJD_ERR_INVALID_ARG);
+        }
+    } else {
         proj_log_debug (P, "Horner: Must specify polynomial degree, (+deg=n)");
         return horner_freeup (P, PJD_ERR_MISSING_ARGS);
     }
-- 
cgit v1.2.3