Opened 20 years ago
Closed 20 years ago
#700 closed defect (duplicate)
mapcopy bug using same string twice
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | MapServer C Library | Version: | 4.3 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Hi, mapcopy has a bug in the copyWeb using copyStringProperty that existing sting in the original simply assignes to the destination. The freeMap then call free twice for the same pointer, and that makes heap corruption. The patch follows.
Attachments (2)
Change History (4)
by , 20 years ago
| Attachment: | mapcopy.patch.txt added |
|---|
comment:1 by , 20 years ago
| Owner: | changed from to |
|---|
comment:2 by , 20 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
This bug is obolete now.
The proposed solution is in the #701.
It resolves both memory corruption caused by strcpy overflow and stuct copy.
The example of the problem is here:
initMap...
map->name = strdup("MS");
leter copying the map using copyStringProperty...
if (*dst)
strcpy(*dst, src);
And that is the problem, cause the src might be (and mostly it is) larger then
the allocated deault memory.
*** This bug has been marked as a duplicate of 701 ***
Note:
See TracTickets
for help on using tickets.
using copyStringPropertyRealloc