grib g2clib: Fix g2_unpack7.c OOM crash in g2_unpack5.c

Found by autofuzz git-svn-id: https://svn.osgeo.org/gdal/trunk@40409 f0d54148-0727-0410-94bb-9a71ac55c965
OSGeo · Oct 12, 2017 · ae92f7f · ae92f7f
1 parent 7a0479d
commit ae92f7f
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/gdal/frmts/grib/degrib18/g2clib-1.0.4/g2_unpack5.c b/gdal/frmts/grib/degrib18/g2clib-1.0.4/g2_unpack5.c
@@ -54,6 +54,7 @@ g2int g2_unpack5(unsigned char *cgrib,g2int cgrib_length,g2int *iofst,g2int *ndp
       g2int lensec,isign,newlen;
       g2int *lidrstmpl=0;
       xxtemplate *mapdrs;
+      int ret=0;
 
       ierr=0;
       *idrstmpl=0;       //NULL
@@ -71,7 +72,17 @@ g2int g2_unpack5(unsigned char *cgrib,g2int cgrib_length,g2int *iofst,g2int *ndp
          return(ierr);
       }
 
-      gbit2(cgrib,cgrib_length,ndpts,*iofst,32);    // Get num of data points
+      // Get num of data points.
+      ret = gbit2(cgrib,cgrib_length,ndpts,*iofst,32);
+      // ndpts is clearly nonsense if it outside of 0..33554432
+      if (*ndpts < 0 || ret != 0) {
+         *ndpts = 0;
+         return 6;
+      }
+      if (*ndpts > 2<<24) {
+         *ndpts = 2<<24;
+         return 6;
+      }
       *iofst=*iofst+32;
       gbit2(cgrib,cgrib_length,idrsnum,*iofst,16);     // Get Data Rep Template Num.
       *iofst=*iofst+16;