Opened 11 years ago

Closed 11 years ago

#2708 closed defect (fixed)

Potential buffer overflow in GMLHandler::startElement() and GMLHandler::endElement()

Reported by: Even Rouault Owned by: warmerdam
Priority: normal Milestone: 1.4.5
Component: OGR_SF Version: unspecified
Severity: normal Keywords: gml
Cc:

Description

The szElementName variable in both methods is allocated on the stack and tr_strcpy'ed with localname, but without checking the size of localname. It's then easy to trigger a buffer overflow with a GML file containing a long element name. All versions of GDAL with GML driver are affected.

In GDAL 1.6.0, the size used to reallocate m_pszGeometry could be not big enough in those both methods. The fix is to consider the size of the translated char* string, and not the number of characters of the XMLCh* string.

Change History (1)

comment:1 Changed 11 years ago by Even Rouault

Resolution: fixed
Status: newclosed

Fixed in trunk in r15848, in branches/1.6 in r15849, in branches/1.5 in r15850, in branches/1.4 in r15851

Note: See TracTickets for help on using tickets.