Changeset 9173


Ignore:
Timestamp:
Jul 13, 2009 1:34:07 PM (7 years ago)
Author:
dmorissette
Message:

New fix for incomplete CVE-2009-0840 security fix made in 5.2.2 (#2943)

Location:
branches/branch-5-2/mapserver
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/branch-5-2/mapserver/HISTORY.TXT

    r8892 r9173  
    1212Current Version:
    1313----------------
     14
     15- New fix for incomplete CVE-2009-0840 security fix made in 5.2.2 (#2943)
    1416
    1517- Fixed seg fault if font not found with label ANGLE FOLLOW (#2973)
  • branches/branch-5-2/mapserver/cgiutil.c

    r9126 r9173  
    4545{
    4646  char *data;
    47   unsigned int data_max, data_len;
     47  size_t data_max, data_len;
    4848  int chunk_size;
    4949
     
    5454  /* -------------------------------------------------------------------- */
    5555  if( getenv("CONTENT_LENGTH") != NULL ) {
    56     data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
    57     if(data_max <= 0) {
     56    data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
     57    /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
     58    if( data_max >= SIZE_MAX ) {
    5859      msIO_printf("Content-type: text/html%c%c",10,10);
    59       msIO_printf("Content-Length too small.\n");
     60      msIO_printf("Suspicious Content-Length.\n");
    6061      exit( 1 );
    6162    }
     
    8081  /*      Otherwise read in chunks to the end.                            */
    8182  /* -------------------------------------------------------------------- */
    82   data_max = 10000;
     83#define DATA_ALLOC_SIZE 10000
     84
     85  data_max = DATA_ALLOC_SIZE;
    8386  data_len = 0;
    8487  data = (char *) malloc(data_max+1);
     
    8891
    8992    if( data_len == data_max ) {
    90       data_max = data_max + 10000;
     93      /* Realloc buffer, making sure we check for possible size_t overflow */
     94        if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) {
     95        msIO_printf("Content-type: text/html%c%c",10,10);
     96        msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
     97        exit(1);
     98      }
     99
     100      data_max = data_max + DATA_ALLOC_SIZE;
    91101      data = (char *) realloc(data, data_max+1);
    92102
  • branches/branch-5-2/mapserver/mapserver.h

    r8832 r9173  
    6666/* definition of  ms_int32/ms_uint32 */
    6767#include <limits.h>
     68#ifndef _WIN32
     69#include <stdint.h>
     70#endif
     71
    6872#if ULONG_MAX == 0xffffffff
    6973typedef long            ms_int32;
     
    7377typedef unsigned int    ms_uint32;
    7478#else
    75 #include <stdint.h>
    7679typedef int32_t         ms_int32;
    7780typedef uint32_t        ms_uint32;
Note: See TracChangeset for help on using the changeset viewer.