#3642 closed defect (fixed)
non existing symbol indexes can crash Mapserver
| Reported by: | bartvde | Owned by: | sdlime |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | MapServer C Library | Version: | svn-trunk (development) |
| Severity: | normal | Keywords: | |
| Cc: | dmorissette, aboudreault |
Description
Putting quotes around will yield an error, so not a crash:
msLoadMap(): General error message. Undefined symbol "604310017" in class 0, style 0 of layer AAA212. msAddImageSymbol(): Unable to access file. Error opening image file /data/OGC_UMN_services/604310017.
I think these MAP files were generated by some tool from ArcGIS, and invalid symbol indexes were created. However, apparently MS 5.2 ignored this?
E-mail from Daniel:
Bart,
Is "604310017" a symbol name? If you add quotes around it in the mapfile then the entry should be treated as a symbol name and the seg fault would go away, can you verify that?
I suspect the integer value 604310017 (without quotes) is treated as an index and used to access the array of symbols without bounds checking. Please file a ticket and we'll have a look.
Daniel
Bart van den Eijnden (OSGIS) wrote:
Hi list,
we have some faulty MAP files, which did not crash MS 5.2, however they do seem to crash MS trunk.
It results in a segfault (e.g. in a WMS GetCapabilities request) when we use e.g.
SYMBOL 604310017
Any idea what has changed in the meantime to cause this to segfault?
TIA.
Best regards, Bart
Change History (12)
comment:1 by , 13 years ago
| Version: | unspecified → svn-trunk (development) |
|---|
comment:2 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:3 by , 13 years ago
| Cc: | added |
|---|
comment:4 by , 13 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
This does not seem to fix my issue, could there be yet another issue? Gdb points to loadMapInternal, but I don't have the full debug symbols unfortunately.
Program received signal SIGSEGV, Segmentation fault. 0x080dcdd0 in loadMapInternal () (gdb) bt #0 0x080dcdd0 in loadMapInternal () #1 0x080dd759 in msLoadMap () #2 0x080b7482 in loadMap () #3 0x080b9436 in main () (gdb) exit
comment:5 by , 13 years ago
Potential fix (not sure if giving an error in the GetCapabilities is the right way to proceed, so I left it out here for now):
--- mapfile.c 2011-01-10 12:48:21.000000000 +0100
+++ mapfile.c 2011-01-10 12:59:37.000000000 +0100
@@ -5040,7 +5040,10 @@
for(k=0; k<class->numstyles; k++) {
styleObj *style = class->styles[k];
if(style->symbol != 0) {
- symbolObj *symbol = map->symbolset.symbol[style->symbol];
+ symbolObj *symbol = NULL;
+ if (style->symbol < map->symbolset.numsymbols) {
+ symbol = map->symbolset.symbol[style->symbol];
+ }
if (symbol)
{
if(style->gap == 0)
comment:6 by , 13 years ago
There is a msResolveSymbolNames() call before this code.... it should return MS_FAILURE. I will check why it doesn't.
comment:7 by , 13 years ago
oh, wrong comment. this is not the ticket #3641. Let me take a closer look.
comment:8 by , 13 years ago
bartvde, trying to reproduce your last seg fault... how do you test it? I can't reproduced it when I quote my symbol name (which is 3456876). Do you test with latest svn trunk?
comment:9 by , 13 years ago
Sorry I was using r10376 from a few months back. If you have confirmed things are okay in trunk, then please close the bug.
comment:10 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Closing the bug, things are ok with my tests. Reopen it if needed.
comment:11 by , 13 years ago
Just to check we tested the same thing, my test was using SYMBOL 10000000 (so no quotes) and then calling a WMS GetCapabilities request.
comment:12 by , 13 years ago
Since the ticket #3641 is fixed, you will get an error when you do not use quotes that says the symbol is invalid.
r10809