Ticket #2944 (closed defect: fixed)
CGI file creation does not adequately check input which could lead to a buffer overflow.
|Reported by:||sdlime||Owned by:||sdlime|
|Component:||MapServer C Library||Version:||unspecified|
Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.
Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.