From 4d4b7c55e3c21ee145a04a554d1d67c36b6a226f Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 25 Jan 2024 14:51:33 +0100
Subject: [PATCH] GDALDeserializeGCPListFromXML(): validate value of GCP
 Pixel,Line,X,Y,Z attributes

---
 gcore/gdal_misc.cpp | 42 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 5 deletions(-)

diff --git a/gcore/gdal_misc.cpp b/gcore/gdal_misc.cpp
index c711581d219e..de6ac5c38530 100644
--- a/gcore/gdal_misc.cpp
+++ b/gcore/gdal_misc.cpp
@@ -4200,11 +4200,36 @@ void GDALDeserializeGCPListFromXML(CPLXMLNode *psGCPList,
         CPLFree(psGCP->pszInfo);
         psGCP->pszInfo = CPLStrdup(CPLGetXMLValue(psXMLGCP, "Info", ""));
 
-        psGCP->dfGCPPixel = CPLAtof(CPLGetXMLValue(psXMLGCP, "Pixel", "0.0"));
-        psGCP->dfGCPLine = CPLAtof(CPLGetXMLValue(psXMLGCP, "Line", "0.0"));
+        const auto ParseDoubleValue =
+            [psXMLGCP](const char *pszParameter, double &dfVal)
+        {
+            const char *pszVal =
+                CPLGetXMLValue(psXMLGCP, pszParameter, nullptr);
+            if (!pszVal)
+            {
+                CPLError(CE_Failure, CPLE_AppDefined, "GCP#%s is missing",
+                         pszParameter);
+                return false;
+            }
+            char *endptr = nullptr;
+            dfVal = CPLStrtod(pszVal, &endptr);
+            if (endptr == pszVal)
+            {
+                CPLError(CE_Failure, CPLE_AppDefined,
+                         "GCP#%s=%s is an invalid value", pszParameter, pszVal);
+                return false;
+            }
+            return true;
+        };
 
-        psGCP->dfGCPX = CPLAtof(CPLGetXMLValue(psXMLGCP, "X", "0.0"));
-        psGCP->dfGCPY = CPLAtof(CPLGetXMLValue(psXMLGCP, "Y", "0.0"));
+        if (!ParseDoubleValue("Pixel", psGCP->dfGCPPixel))
+            continue;
+        if (!ParseDoubleValue("Line", psGCP->dfGCPLine))
+            continue;
+        if (!ParseDoubleValue("X", psGCP->dfGCPX))
+            continue;
+        if (!ParseDoubleValue("Y", psGCP->dfGCPY))
+            continue;
         const char *pszZ = CPLGetXMLValue(psXMLGCP, "Z", nullptr);
         if (pszZ == nullptr)
         {
@@ -4212,7 +4237,14 @@ void GDALDeserializeGCPListFromXML(CPLXMLNode *psGCPList,
             // but could not read it back.
             pszZ = CPLGetXMLValue(psXMLGCP, "GCPZ", "0.0");
         }
-        psGCP->dfGCPZ = CPLAtof(pszZ);
+        char *endptr = nullptr;
+        psGCP->dfGCPZ = CPLStrtod(pszZ, &endptr);
+        if (endptr == pszZ)
+        {
+            CPLError(CE_Failure, CPLE_AppDefined,
+                     "GCP#Z=%s is an invalid value", pszZ);
+            continue;
+        }
 
         (*pnGCPCount)++;
     }