Opened 15 years ago
Last modified 15 years ago
#3027 assigned defect
readWorldFile() in mapraster.c could produce a small buffer overflow
Reported by: | sdlime | Owned by: | sdlime |
---|---|---|---|
Priority: | normal | Milestone: | 6.0 release |
Component: | MapServer C Library | Version: | unspecified |
Severity: | normal | Keywords: | |
Cc: | dmorissette, rouault |
Description
Reported by Even Rouault...
I've also seen another potentially unsafe use of strcpy in readWorldFile().
"strcpy(strrchr(wld_filename, '.'), ".wld");" and the following similar lines.
--> no warranty that wld_filename as a point --> Segmentation fault --> no warranty that the extensions would have at least 3 characters --> (small) buffer overflow.
Attachments (2)
Change History (7)
comment:1 by , 15 years ago
Cc: | added |
---|
comment:2 by , 15 years ago
Cc: | added |
---|
comment:3 by , 15 years ago
Status: | new → assigned |
---|
comment:4 by , 15 years ago
I'd suggest the attached patch, that introduces msResetExtension(), trivially adapted from GDAL CPLResetExtension(). (Note: not tested more than compiling)
by , 15 years ago
Attachment: | mapraster.c.readworldfile.patch added |
---|
by , 15 years ago
Attachment: | mapraster.c.readworldfile.2.patch added |
---|
comment:5 by , 15 years ago
Milestone: | 5.4.1 release → 6.0 release |
---|
Patch looks good to me, thanks Even. Applied to 5.4 branch in r9055. Moving milestone to 6.0.
Steve
Dan, any suggestion on the best fix? Could probably use a function to strip the extension from a filename and use that as a base, or is that overkill...
Steve