Opened 15 years ago
Last modified 15 years ago
#3027 assigned defect
readWorldFile() in mapraster.c could produce a small buffer overflow
| Reported by: | sdlime | Owned by: | sdlime |
|---|---|---|---|
| Priority: | normal | Milestone: | 6.0 release |
| Component: | MapServer C Library | Version: | unspecified |
| Severity: | normal | Keywords: | |
| Cc: | dmorissette, rouault |
Description
Reported by Even Rouault...
I've also seen another potentially unsafe use of strcpy in readWorldFile().
"strcpy(strrchr(wld_filename, '.'), ".wld");" and the following similar lines.
--> no warranty that wld_filename as a point --> Segmentation fault --> no warranty that the extensions would have at least 3 characters --> (small) buffer overflow.
Attachments (2)
Change History (7)
comment:1 by , 15 years ago
| Cc: | added |
|---|
comment:2 by , 15 years ago
| Cc: | added |
|---|
comment:3 by , 15 years ago
| Status: | new → assigned |
|---|
comment:4 by , 15 years ago
I'd suggest the attached patch, that introduces msResetExtension(), trivially adapted from GDAL CPLResetExtension(). (Note: not tested more than compiling)
by , 15 years ago
| Attachment: | mapraster.c.readworldfile.patch added |
|---|
by , 15 years ago
| Attachment: | mapraster.c.readworldfile.2.patch added |
|---|
comment:5 by , 15 years ago
| Milestone: | 5.4.1 release → 6.0 release |
|---|
Patch looks good to me, thanks Even. Applied to 5.4 branch in r9055. Moving milestone to 6.0.
Steve
Note:
See TracTickets
for help on using tickets.
Dan, any suggestion on the best fix? Could probably use a function to strip the extension from a filename and use that as a base, or is that overkill...
Steve