Ticket #2708 (closed defect: fixed)
Potential buffer overflow in GMLHandler::startElement() and GMLHandler::endElement()
|Reported by:||rouault||Owned by:||warmerdam|
The szElementName variable in both methods is allocated on the stack and tr_strcpy'ed with localname, but without checking the size of localname. It's then easy to trigger a buffer overflow with a GML file containing a long element name. All versions of GDAL with GML driver are affected.
In GDAL 1.6.0, the size used to reallocate m_pszGeometry could be not big enough in those both methods. The fix is to consider the size of the translated char* string, and not the number of characters of the XMLCh* string.