Ticket #2708 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

Potential buffer overflow in GMLHandler::startElement() and GMLHandler::endElement()

Reported by: rouault Owned by: warmerdam
Priority: normal Milestone: 1.4.5
Component: OGR_SF Version: unspecified
Severity: normal Keywords: gml
Cc:

Description

The szElementName variable in both methods is allocated on the stack and tr_strcpy'ed with localname, but without checking the size of localname. It's then easy to trigger a buffer overflow with a GML file containing a long element name. All versions of GDAL with GML driver are affected.

In GDAL 1.6.0, the size used to reallocate m_pszGeometry could be not big enough in those both methods. The fix is to consider the size of the translated char* string, and not the number of characters of the XMLCh* string.

Change History

Changed 5 years ago by rouault

  • status changed from new to closed
  • resolution set to fixed

Fixed in trunk in r15848, in branches/1.6 in r15849, in branches/1.5 in r15850, in branches/1.4 in r15851

Note: See TracTickets for help on using tickets.