Opened 5 years ago
Closed 5 years ago
#4406 closed defect (fixed)
Undefined behavior in decode_geohash_bbox with invalid input
| Reported by: | mentin | Owned by: | Algunenano |
|---|---|---|---|
| Priority: | low | Milestone: | PostGIS 2.3.10 |
| Component: | liblwgeom | Version: | master |
| Keywords: | geohash | Cc: |
Description
decode_geohash_bbox uses this code to convert geohash version of base32 to integer:
721 for (i = 0; i < precision; i++)
722 {
723 c = tolower(geohash[i]);
724 cd = strchr(base32, c) - base32;
725
If the input is not a valid geohash, the strchr returns NULL, the result is a constant that depends of how linker loaded 'base32' field. There is no security vulnerability here, since NULL is never dereferenced, and only 5 bits of 'cd' are used, but the result is undefined (even though it is constant for any specific build).
E.g. in my PostgreSQL build, I'm getting ST_PointFromGeoHash("@@@@@@") equal to ST_PointFromGeoHash("gggggg"), meaning my 'base32' was at some offset representable as 32*n + 16.
Should this query fail in PostGIS?
Should this return something well defined?
Change History (6)
comment:1 by , 5 years ago
| Milestone: | PostGIS 2.5.3 → PostGIS 2.3.10 |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:2 by , 5 years ago
Note:
See TracTickets
for help on using tickets.
PR in https://github.com/postgis/postgis/pull/420
Changes the decoding procedure to throw on invalid characters:
# Select ST_PointFromGeoHash('@@@@@@'); ERROR: decode_geohash_bbox: Invalid character '@'