Ticket #2132 (closed defect: fixed)

Opened 6 years ago

Last modified 6 years ago

Invalid pointer access in msGetEncodedString()

Reported by: dmorissette Owned by: dmorissette
Priority: normal Milestone:
Component: MapServer C Library Version:
Severity: normal Keywords:
Cc: sdlime

Description

Using valgrind I found that msGetEncodedString() will sometimes allocate a 0-size buffer for the output strng if the input string len is 0. This can lead to invalid memory writes.

Change History

Changed 6 years ago by dmorissette

  • status changed from new to closed
  • resolution set to fixed

Fixed in branch 4.10 (r6245) by allocating a large enough buffer. Note that this possible error condition was not encountered often (if at all) in 4.10 because msGetEncodedString() was only called inside the label cache rendering code.

However in 4.99 (future 5.0) the call to msGetEncodedString() has been moved earlier in the process and 0-size strings are more common at that point. The fix in the SVN trunk (r6246) also includes some tests to do nothing if len is 0 or if the source encoding is already UTF-8. We also removed an unnecessary copy of the input buffer that was made.

Note: See TracTickets for help on using tickets.