Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#2944 closed defect (fixed)

CGI file creation does not adequately check input which could lead to a buffer overflow.

Reported by: sdlime Owned by: sdlime
Priority: highest Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: dmorissette


Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.

Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.


Change History (9)

comment:1 by sdlime, 14 years ago

Status: newassigned

comment:2 by sdlime, 14 years ago

Referencing CVE-2009-0839...

comment:3 by dmorissette, 14 years ago

Cc: dmorissette added

comment:4 by sdlime, 14 years ago

Milestone: 5.2.2 release5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.


comment:5 by sdlime, 14 years ago

Fixed in 5.4 branch in r8856, moving to 6.0/trunk.


comment:6 by sdlime, 14 years ago

Milestone: 5.4 release6.0 release

comment:7 by sdlime, 14 years ago

Resolution: fixed
Status: assignedclosed

Fixed in trunk, closing. -Steve

comment:8 by sdlime, 14 years ago

Referencing CVE-2009-1177... Steve

comment:9 by aboudreault, 14 years ago

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.