Opened 15 years ago
Closed 15 years ago
#2708 closed defect (fixed)
Potential buffer overflow in GMLHandler::startElement() and GMLHandler::endElement()
Reported by: | Even Rouault | Owned by: | warmerdam |
---|---|---|---|
Priority: | normal | Milestone: | 1.4.5 |
Component: | OGR_SF | Version: | unspecified |
Severity: | normal | Keywords: | gml |
Cc: |
Description
The szElementName variable in both methods is allocated on the stack and tr_strcpy'ed with localname, but without checking the size of localname. It's then easy to trigger a buffer overflow with a GML file containing a long element name. All versions of GDAL with GML driver are affected.
In GDAL 1.6.0, the size used to reallocate m_pszGeometry could be not big enough in those both methods. The fix is to consider the size of the translated char* string, and not the number of characters of the XMLCh* string.
Note:
See TracTickets
for help on using tickets.
Fixed in trunk in r15848, in branches/1.6 in r15849, in branches/1.5 in r15850, in branches/1.4 in r15851