Ticket #2572 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

Segmentation fault in msSplitData in maporaclespatial.c

Reported by: aalbarello Owned by: fsimon@…
Priority: normal Milestone: 5.2 release
Component: Input - Native Oracle Spatial Support Version: svn-trunk (development)
Severity: normal Keywords:
Cc: sdlime

Description

data_version is defined as char[3] in function msSplitData on line 284 of maporaclespatial.c (as of svn-trunk revision 7504), although on lines 424 through 429 up to 4 bytes are copied into the string (e.g. "VERSION 10g" in the DATA definition leads to "10g" plus the final null character being written to the buffer). This can cause segmentation faults, and particularly so on Linux, most likely due to the different memory alignment. Defining data_version as char[4] solves the problem.

Adding some length checks to avoid similar buffer overflows in msSplitData, at least as far as data_version and tok_function is concerned, wouldn't hurt anyways.

Attachments

fix2572.diff Download (447 bytes) - added by aalbarello 5 years ago.
Attaching a patch against r7680.

Change History

Changed 5 years ago by tomkralidis

  • owner changed from sdlime to fsimon@…
  • version changed from 5.0 to svn-trunk (development)
  • component changed from MapServer C Library to Input - Native Oracle Spatial Support
  • milestone set to 5.2 release

Changed 5 years ago by aalbarello

  • cc sdlime added; fsimon@… removed

I hope this can be fixed in time for Mapserver 5.2. CC'ing Steve as the fix is trivial and I haven't yet heard from the Oracle Spatial maintainer.

Andreas

Changed 5 years ago by aalbarello

Attaching a patch against r7680.

Changed 5 years ago by sdlime

  • status changed from new to closed
  • resolution set to fixed

Fixed in r7699.

Steve

Note: See TracTickets for help on using tickets.