#5315 closed defect (fixed)

ST_Buffer causes segfault on polygon with infinity coordinates

Reported by: ewie Owned by: robe
Priority: blocker Milestone: PostGIS 3.0.9
Component: postgis Version: 3.2.x
Keywords: Cc: ewie

Description (last modified by ewie)

The following query causes a segfault that puts Postgres in recovery mode:

SELECT
  ST_Buffer(
    ST_Transform(
      ST_SetSRID(
        ST_GeomFromText(
          'MULTIPOLYGON(((0 0, 1 0, 1 1, 0 1, 0 0)))',
          4326
        ),
        4647
      ),
      25832
    ),
    1
  );

Postgres log:

2023-01-14 01:21:54.455 CET [4520] LOG:  server process (PID 5016) was terminated by exception 0xC0000005
2023-01-14 01:21:54.455 CET [4520] DETAIL:  Failed process was running: SELECT
	  ST_Buffer(
	    ST_Transform(
	      ST_SetSRID(
	        ST_GeomFromText(
	          'MULTIPOLYGON(((0 0, 1 0, 1 1, 0 1, 0 0)))',
	          4326
	        ),
	        4647
	      ),
	      25832
	    ),
	    1
	  );
2023-01-14 01:21:54.455 CET [4520] HINT:  See C include file "ntstatus.h" for a description of the hexadecimal value.
2023-01-14 01:21:54.455 CET [4520] LOG:  terminating any other active server processes
2023-01-14 01:21:54.462 CET [8804] WARNING:  terminating connection because of crash of another server process
2023-01-14 01:21:54.462 CET [8804] DETAIL:  The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory.
2023-01-14 01:21:54.462 CET [8804] HINT:  In a moment you should be able to reconnect to the database and repeat your command.
2023-01-14 01:21:54.476 CET [4520] LOG:  all server processes terminated; reinitializing
2023-01-14 01:21:54.665 CET [5368] LOG:  database system was interrupted; last known up at 2023-01-14 01:01:08 CET
2023-01-14 01:22:29.148 CET [4480] FATAL:  the database system is in recovery mode
2023-01-14 01:22:50.260 CET [5368] LOG:  database system was not properly shut down; automatic recovery in progress
2023-01-14 01:22:50.440 CET [5368] LOG:  redo starts at 157/4F24D0F8
2023-01-14 01:22:50.441 CET [5368] LOG:  invalid record length at 157/4F24D1E0: wanted 24, got 0
2023-01-14 01:22:50.441 CET [5368] LOG:  redo done at 157/4F24D1A8
2023-01-14 01:22:50.891 CET [4520] LOG:  database system is ready to accept connections

The segfault is caused by ST_Buffer. Omitting ST_Buffer or calling it with buffer_or_radius=0 causes no segfault.

Calling ST_SetSRID with srid=4647 before ST_Transform is nonsense but ST_Buffer should not segfault on the resulting geometry. The origin of this query is a database user who erroneously set incorrect SRID 4647 before transforming geometries.

I cannot reproduce it with Docker images postgis/postgis:12-3.2 or postgis/postgis:14-3.3.

Postgres & PostGIS versions

PostgreSQL 12.13, compiled by Visual C++ build 1914, 64-bit

POSTGIS="3.2.2 3.2.2" [EXTENSION] PGSQL="120" GEOS="3.10.3-CAPI-1.16.1" SFCGAL="1.4.1" PROJ="7.2.1" GDAL="GDAL 3.4.2, released 2022/03/08 GDAL_DATA not found" LIBXML="2.9.9" LIBJSON="0.12" LIBPROTOBUF="1.2.1" WAGYU="0.5.0 (Internal)" RASTER
PostgreSQL 14.6, compiled by Visual C++ build 1914, 64-bit

POSTGIS="3.3.2 3.3.2" [EXTENSION] PGSQL="140" GEOS="3.11.1-CAPI-1.17.1" PROJ="7.2.1" LIBXML="2.9.9" LIBJSON="0.12" LIBPROTOBUF="1.2.1" WAGYU="0.5.0 (Internal)"

System

Microsoft Windows Server 2019 Standard
Version 10.0.17763 Build 17763

Attachments (1)

stacktrace-pg14.txt (15.1 KB ) - added by ewie 22 months ago.
windbg stacktrace on postgres 14.6

Download all attachments as: .zip

Change History (17)

comment:1 by ewie, 23 months ago

Description: modified (diff)

comment:2 by ewie, 23 months ago

Description: modified (diff)

comment:3 by robe, 23 months ago

Milestone: PostGIS 3.2.4
Priority: mediumblocker

Confirmed it crashes too

POSTGIS="3.3.2 3.3.2" [EXTENSION] PGSQL="150" GEOS="3.11.1-CAPI-1.17.1" SFCGAL="SFCGAL 1.4.1, CGAL 5.3, BOOST 1.78.0" PROJ="7.2.1" GDAL="GDAL 3.4.3, released 2022/04/22" LIBXML="2.9.9" LIBJSON="0.12" LIBPROTOBUF="1.2.1" WAGYU="0.5.0 (Internal)" TOPOLOGY RASTER	PostgreSQL 15.1, compiled by Visual C++ build 1914, 64-bit
SELECT
  ST_Buffer(
    ST_Transform(
      ST_SetSRID(
        ST_GeomFromText(
          'MULTIPOLYGON(((0 0, 1 0, 1 1, 0 1, 0 0)))',
          4326
        ),
        4647
      ),
      25832
    ),
    1
  );

But interestingly this doesn't crash:

SELECT

    ST_Transform(
      ST_SetSRID(
        ST_GeomFromText(
          'MULTIPOLYGON(((0 0, 1 0, 1 1, 0 1, 0 0)))',
          4326
        ),
        4647
      ),
      25832
    );

and gives a:

MULTIPOLYGON(((Infinity Infinity,Infinity Infinity,Infinity Infinity,Infinity Infinity,Infinity Infinity)))

It doesn't crash on my Linux Debian Arm server running:

POSTGIS="3.3.2 4975da8" [EXTENSION] PGSQL="150" GEOS="3.10.2-CAPI-1.16.0" SFCGAL="SFCGAL 1.4.1, CGAL 5.3.1, BOOST 1.74.0" PROJ="8.2.1" GDAL="GDAL 3.4.1, released 2021/12/27" LIBXML="2.9.13" LIBJSON="0.15" LIBPROTOBUF="1.3.3" WAGYU="0.5.0 (Internal)" (core procs from "3.3.0dev fef762990" need upgrade) TOPOLOGY (topology procs from "3.3.0dev fef762990" need upgrade) RASTER (raster procs from "3.3.0dev fef762990" need upgrade) (sfcgal procs from "3.3.0dev fef762990" need upgrade) PostgreSQL 15.1 (Ubuntu 15.1-1.pgdg22.04+1) on aarch64-unknown-linux-gnu, compiled by gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, 64-bit

it gives error on both the ST_AsText and ST_Buffer

ERROR:  transform: Point outside of projection domain (2050)

So I guess the ultimate issue, is buffer can't buffer the infinity polygon which interestingly I can't cast back to a geometry. Gives invalid geometry if I try to do

SELECT ST_Buffer('MULTIPOLYGON(((Infinity Infinity,Infinity Infinity,Infinity Infinity,Infinity Infinity,Infinity Infinity)))'::geometry)

However on my Linux box

SELECT ST_Buffer('0106000020E86400000100000001030000000100000005000000000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F000000000000F07F'::geometry, 10)

Gives a ERROR: SSL SYSCALL error: EOF detected

which is not quite a crash but should never happen.

Version 0, edited 23 months ago by robe (next)

comment:4 by robe, 23 months ago

Milestone: PostGIS 3.2.4PostGIS 3.0.9
Owner: changed from pramsey to robe
Summary: ST_Buffer causes segfaultST_Buffer causes segfault on polygon with infinity coordinates

I'm also checking what other functions we are missing infinity checks on that need them.

by ewie, 22 months ago

Attachment: stacktrace-pg14.txt added

windbg stacktrace on postgres 14.6

comment:5 by ewie, 22 months ago

I attached the stacktrace that I got with windbg as described here: https://wiki.postgresql.org/wiki/Using_windbg.exe_to_debug_PostgreSQL.

PostgreSQL 14.6, compiled by Visual C++ build 1914, 64-bit
POSTGIS="3.3.2 3.3.2" [EXTENSION] PGSQL="140" GEOS="3.11.1-CAPI-1.17.1" PROJ="7.2.1" LIBXML="2.9.9" LIBJSON="0.12" LIBPROTOBUF="1.2.1" WAGYU="0.5.0 (Internal)"

comment:6 by ewie, 22 months ago

Segfault only occurs when calling ST_Buffer with style endcap=round or endcap=square. Style endcap=flat results in an empty polygon.

comment:7 by Regina Obe <lr@…>, 22 months ago

In 633cf97/git:

Prevent crash on infinite coordinates
for PostGIS 3.4
References #5319 ST_SetPoint
References #5315 ST_Buffer
References #5318 ST_MaximumnInscribedCircle

comment:8 by Regina Obe <lr@…>, 22 months ago

In a46840c/git:

Prevent crash on infinite coordinates
for PostGIS 3.3.3
References #5319 ST_SetPoint
References #5315 ST_Buffer
References #5318 ST_MaximumnInscribedCircle

comment:9 by Regina Obe <lr@…>, 22 months ago

In 0239850/git:

Prefilter to check for non-finite coordinates before feeding
ST_SimplifyPreserveTopology, ST_Buffer, ST_SetPoint,
ST_MinimumInscribedCircle
to avoid crash/hang.
References #5320
References #5315
References #5318
References #5319
for PostGIS 3.2.5

comment:10 by robe, 22 months ago

Milestone: PostGIS 3.0.9PostGIS 3.2.4

These changes don't apply cleanly to 3.1 and below, so I think I'll stop at 3.2.4. Also realized I forgot to free, so will make some adjustments and then close these out.

comment:11 by robe, 22 months ago

Milestone: PostGIS 3.2.4PostGIS 3.0.9

Scratch that thought, I think I have it working.

comment:12 by Regina Obe <lr@…>, 22 months ago

In 11335bb/git:

Prefilter to check for non-finite coordinates before feeding
ST_SimplifyPreserveTopology, ST_Buffer, ST_SetPoint,
ST_MinimumInscribedCircle
to avoid crash/hang.
References #5320
References #5315
References #5318
References #5319
for PostGIS 3.1.9

comment:13 by Regina Obe <lr@…>, 22 months ago

In 92e7399/git:

Prefilter to check for non-finite coordinates before feeding
ST_SimplifyPreserveTopology, ST_Buffer, ST_SetPoint
to avoid crash/hang.
References #5320
References #5315
References #5319
for PostGIS 3.0.9

comment:14 by Regina Obe <lr@…>, 22 months ago

In 256dd5e/git:

Free lwgeom
References #5320, #5315, #5318
for PostGIS 3.4.0

comment:15 by Regina Obe <lr@…>, 22 months ago

In 6885b9d/git:

Free lwgeom
References #5320, #5315, #5318
for PostGIS 3.3.3

comment:16 by Regina Obe <lr@…>, 22 months ago

Resolution: fixed
Status: newclosed

In 7c5bf6f/git:

Free lwgeom
Closes #5320
Closes #5315
Closes #5318
for PostGIS 3.2.5

Note: See TracTickets for help on using tickets.