Changeset 9175


Ignore:
Timestamp:
Jul 13, 2009 2:02:54 PM (7 years ago)
Author:
dmorissette
Message:

New fix for incomplete CVE-2009-0840 security fix made in 4.10.4 (#2943)

Location:
branches/branch-4-10/mapserver
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/branch-4-10/mapserver/HISTORY.TXT

    r8829 r9175  
    1010For a complete change history, please see the Subversion log comments.
    1111
     12
     13Current Version (SVN branch, may never be released):
     14----------------------------------------------------
     15
     16- New fix for incomplete CVE-2009-0840 security fix made in 4.10.4 (#2943)
    1217
    1318Version 4.10.4 (2009-03-26)
  • branches/branch-4-10/mapserver/cgiutil.c

    r8823 r9175  
    7070{
    7171    char *data;
    72     unsigned int data_max, data_len;
     72    size_t data_max, data_len;
    7373    int chunk_size;
    7474
     
    8181    {
    8282
    83         data_max = atoi(getenv("CONTENT_LENGTH"));
     83        data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
     84        /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
     85        if( data_max >= SIZE_MAX )
     86        {
     87            msIO_printf("Content-type: text/html%c%c",10,10);
     88            msIO_printf("Suspicious Content-Length.\n");
     89            exit( 1 );
     90        }
    8491        data = (char *) malloc(data_max+1);
    8592        if( data == NULL )
     
    103110/*      Otherwise read in chunks to the end.                            */
    104111/* -------------------------------------------------------------------- */
    105     data_max = 10000;
     112#define DATA_ALLOC_SIZE 10000
     113
     114    data_max = DATA_ALLOC_SIZE;
    106115    data_len = 0;
    107116    data = (char *) malloc(data_max+1);
     
    114123        if( data_len == data_max )
    115124        {
    116             data_max = data_max + 10000;
     125            /* Realloc buffer, making sure we check for possible size_t overflow */
     126            if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) )
     127            {
     128                msIO_printf("Content-type: text/html%c%c",10,10);
     129                msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
     130                exit(1);
     131            }
     132
     133            data_max = data_max + DATA_ALLOC_SIZE;
    117134            data = (char *) realloc(data, data_max+1);
    118135
  • branches/branch-4-10/mapserver/map.h

    r8829 r9175  
    4949#else
    5050#include <unistd.h>
     51#include <stdint.h>
    5152#endif
    5253
Note: See TracChangeset for help on using the changeset viewer.