Opened 6 years ago
Closed 6 years ago
#4406 closed defect (fixed)
Undefined behavior in decode_geohash_bbox with invalid input
Reported by: | mentin | Owned by: | Algunenano |
---|---|---|---|
Priority: | low | Milestone: | PostGIS 2.3.10 |
Component: | liblwgeom | Version: | master |
Keywords: | geohash | Cc: |
Description
decode_geohash_bbox uses this code to convert geohash version of base32 to integer:
721 for (i = 0; i < precision; i++) 722 { 723 c = tolower(geohash[i]); 724 cd = strchr(base32, c) - base32; 725
If the input is not a valid geohash, the strchr returns NULL, the result is a constant that depends of how linker loaded 'base32' field. There is no security vulnerability here, since NULL is never dereferenced, and only 5 bits of 'cd' are used, but the result is undefined (even though it is constant for any specific build).
E.g. in my PostgreSQL build, I'm getting ST_PointFromGeoHash("@@@@@@") equal to ST_PointFromGeoHash("gggggg"), meaning my 'base32' was at some offset representable as 32*n + 16.
Should this query fail in PostGIS?
Should this return something well defined?
Change History (6)
comment:1 by , 6 years ago
Milestone: | PostGIS 2.5.3 → PostGIS 2.3.10 |
---|---|
Owner: | changed from | to
Status: | new → assigned |
PR in https://github.com/postgis/postgis/pull/420
Changes the decoding procedure to throw on invalid characters: