Opened 12 years ago
Last modified 12 years ago
#4092 assigned defect
segfault on empty multipolygon class evaluation
| Reported by: | fake | Owned by: | sdlime |
|---|---|---|---|
| Priority: | normal | Milestone: | 6.0.2 release |
| Component: | MapServer C Library | Version: | 6.0 |
| Severity: | critical | Keywords: | msEvalExpression empty multipolygon |
| Cc: |
Description
Version: mapserver 6.0.1 built from source
when seeding an osm planet i noticed mapserver segfaulting. in debug level 5 on the layer, i saw the query it ran, and examined the one returned row - it has a geometry set, but asText() reports the geometry as being "MULTIPOLYGON EMPTY".
it seems the that shape->numvalues is never checked before the shape->values[itemindex] is called in the source line below.
the backtrace:
Program received signal SIGSEGV, Segmentation fault. 0x000000000044e39f in msEvalExpression (layer=0x858a10, shape=0x7fffffffdac0, expression=0x85a0c0, itemindex=0) at maputil.c:474 474 if(ms_regexec(&(expression->regex), shape->values[itemindex], 0, NULL, 0) == 0) return MS_TRUE; /* got a match */ (gdb) bt #0 0x000000000044e39f in msEvalExpression (layer=0x858a10, shape=0x7fffffffdac0, expression=0x85a0c0, itemindex=0) at maputil.c:474 #1 0x000000000044e8d3 in msShapeGetClass (layer=0x858a10, map=0x7ed960, shape=0x7fffffffdac0, classgroup=0x0, numclasses=9) at maputil.c:561 #2 0x000000000048498c in msDrawVectorLayer (map=0x7ed960, layer=0x858a10, image=0x99a280) at mapdraw.c:869 #3 0x00000000004841db in msDrawLayer (map=0x7ed960, layer=0x858a10, image=0x99a280) at mapdraw.c:728 #4 0x000000000048320a in msDrawMap (map=0x7ed960, querymap=0) at mapdraw.c:422 #5 0x000000000052320a in msWMSGetMap (map=0x7ed960, nVersion=65793, names=0x7ecad0, values=0x7ece00, numentries=11, wms_exception_format=0x0, ows_request=0x7fffffffdf00) at mapwms.c:2900 #6 0x000000000052745a in msWMSDispatch (map=0x7ed960, req=0x7eca90, ows_request=0x7fffffffdf00, force_wms_mode=0) at mapwms.c:4143 #7 0x00000000004963ba in msOWSDispatch (map=0x7ed960, request=0x7eca90, ows_mode=-1) at mapows.c:76 #8 0x0000000000415dd4 in main (argc=3, argv=0x7fffffffe538) at mapserv.c:1241
this is related, but not similar to #3628.
Change History (4)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
I am not able to reproduce the problem myself, but I think a change like this might make things more broadly safe.
Index: maputil.c
===================================================================
--- maputil.c (revision 12800)
+++ maputil.c (working copy)
@@ -416,7 +416,7 @@
msSetError(MS_MISCERR, "Cannot evaluate expression, no item index defined.", "msEvalExpression()");
return MS_FALSE;
}
- if(itemindex >= layer->numitems) {
+ if(itemindex >= layer->numitems || itemindex >= shape->numitems) {
msSetError(MS_MISCERR, "Invalid item index.", "msEvalExpression()");
return MS_FALSE;
}
@@ -451,7 +451,7 @@
msSetError(MS_MISCERR, "Cannot evaluate expression, no item index defined.", "msEvalExpression()");
return MS_FALSE;
}
- if(itemindex >= layer->numitems) {
+ if(itemindex >= layer->numitems || itemindex >= shape->numitems) {
msSetError(MS_MISCERR, "Invalid item index.", "msEvalExpression()");
return MS_FALSE;
}
I'll leave this for Steve.
comment:3 by , 12 years ago
| Milestone: | → 6.0.2 release |
|---|---|
| Status: | new → assigned |
comment:4 by , 12 years ago
regarding above patch: at least in 6.0.1 it's shape->numvalues, not shape->numitems ;-)
Note:
See TracTickets
for help on using tickets.
this is my cowardly workaround:
--- maputil.c.orig 2011-11-24 00:59:20.105602216 +0100 +++ maputil.c 2011-11-24 01:00:24.097602711 +0100 @@ -558,7 +558,7 @@ continue; //skip this one, next class } - if(layer->class[iclass]->status != MS_DELETE && msEvalExpression(layer, shape, &(layer->class[iclass]->expression), layer->classitemindex) == MS_TRUE) + if(layer->class[iclass]->status != MS_DELETE && shape->numvalues > layer->classitemindex && msEvalExpression(layer, shape, &(layer->class[iclass]->expression), layer->classitemindex) == MS_TRUE) return(iclass); } }