From a395e6e244e04dd09284e24eb1ca3ff2a7c9f37f Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 30 May 2017 12:14:26 +0200
Subject: catalog: memory leak and crashes related fixes

* pj_transform() crashes on a catalog that has no matching grid
* pj_free() and pj_gc_unloadall() badly interact. No longer try to free the
  catalog object in pj_free(). That is the job of pj_gc_unloadall()
* Fix memory leaks in pj_gc_readcatalog() and pj_gc_unloadall()

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1923

Credit to OSS Fuzz.
---
 test/fuzzers/standard_fuzzer.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'test')

diff --git a/test/fuzzers/standard_fuzzer.cpp b/test/fuzzers/standard_fuzzer.cpp
index de2e2aa8..5e69b80f 100644
--- a/test/fuzzers/standard_fuzzer.cpp
+++ b/test/fuzzers/standard_fuzzer.cpp
@@ -34,6 +34,7 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include "projects.h" // For pj_gc_unloadall()
 #include "proj_api.h"
 
 /* Standalone build:
@@ -96,6 +97,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
     {
         free(buf_dup);
         pj_free(pj_src);
+        pj_gc_unloadall(pj_get_default_ctx());
+        pj_deallocate_grids();
         return 0;
     }
     double x = 0, y = 0;
@@ -104,6 +107,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
         free(buf_dup);
         pj_free(pj_src);
         pj_free(pj_dst);
+        pj_gc_unloadall(pj_get_default_ctx());
+        pj_deallocate_grids();
         return 0;
     }
 #ifdef STANDALONE
@@ -115,6 +120,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
     free(buf_dup);
     pj_free(pj_src);
     pj_free(pj_dst);
+    pj_gc_unloadall(pj_get_default_ctx());
+    pj_deallocate_grids();
     return 0;
 }
 
-- 
cgit v1.2.3