[PATCH] Fix crashes on corrupted geometries in shapefiles

[rouault]

This is a clone of a GDAL bug : ​http://trac.osgeo.org/gdal/ticket/2218.

The attached patch adds checks to msSHPReadPoint and msSHPReadShape so that hostile/corrupted geometries in a shape entity don't cause shapelib to read memory outside of the declared entity size and pabyRec buffer.

I've attached too a zip file containing a few volontary corrupted shapefiles to demonstrate the crashes (or Valgrind errors) and the fix.

Too bad that mapserver doesn't use shapelib 1.2... It duplicates the effort of merging fixes.

[sdlime]

Thanks for the patch! Are there any performance side-effects? Cc'ing Frank for comment...

Steve

[rouault]

It shouldn't have too much performance side-effects, as it doesn't change fundamentaly the way shapes are read. However it adds several 'if' for each read, but I don't expect them to be significant in comparison to I/O time.

[rouault]

Enclosed a zip file containing a few small good and a few bad simple shapefiles (cf GDAL bug) and a mapfile.

Should crash shp2img on a non-patched mapserver :

./shp2img -m map_test.map -l "goodpoint badpoint goodline badline goodpoly badpoly badpoly2" > test.png

[rouault]

Mapfile and shapefiles demonstrating the bug and the fix

[rouault]

I've also updated the patch with a few missing checks in msSHPOpen that have been integreated into shapelib 1.2 some time ago.

[warmerdam]

The changes look reasonable to me.

[sdlime]

Patch applied in r7383. Closing...

Steve