Opened 16 years ago
Closed 16 years ago
#2805 closed defect (fixed)
MapServer crashes on filters using a <gml:Box> in POST requests
| Reported by: | aeichner | Owned by: | assefa |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | WFS Server | Version: | 5.2 |
| Severity: | normal | Keywords: | WFS server crash box coords |
| Cc: |
Description
MapServer crashes when using a filter containing a <gml:Box> element with no <gml:coordinates> child element. This results in a HTTP 500 (internal server error) response and the message "premature end of script headers" in the Apache logs.
This is caused by a programming error leading to a NULL pointer dereference and resulting in a SIGSEGV. The function causing the error is FLTParseGMLBox. It extracts the <gml:coordinates> element and afterwards the containing text node but doesn't take care <gml:coordinates> was actually found.
The following patch corrects the issue.
--- mapogcfilter.c.orig 2008-11-06 15:40:58.000000000 +0100
+++ mapogcfilter.c 2008-11-06 15:42:30.000000000 +0100
@@ -3759,21 +3759,21 @@
if (psBox)
{
pszSRS = (char *)CPLGetXMLValue(psBox, "srsName", NULL);
if (*ppszSRS)
*ppszSRS = strdup(pszSRS);
psCoordinates = CPLGetXMLNode(psBox, "coordinates");
pszTS = (char *)CPLGetXMLValue(psCoordinates, "ts", NULL);
pszCS = (char *)CPLGetXMLValue(psCoordinates, "cs", NULL);
- psCoordChild = psCoordinates->psChild;
+ psCoordChild = psCoordinates ? psCoordinates->psChild : NULL;
while (psCoordinates && psCoordChild && psCoordChild->eType != CXT_Text)
{
psCoordChild = psCoordChild->psNext;
}
if (psCoordChild && psCoordChild->pszValue)
{
pszTmpCoord = psCoordChild->pszValue;
if (pszTS)
szCoords = msStringSplit(pszTmpCoord, pszTS[0], &nCoords);
else
Change History (2)
comment:1 by , 16 years ago
| Owner: | changed from to |
|---|
comment:2 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Thx I will apply the patch and commit.