mapshape: check for negative sizes in msSHPReadAllocateBuffer()

Yet another buffer overflow found by libFuzzer.
MapServer · Oct 5, 2021 · 556a728 · 556a728
1 parent 67fb0e8
commit 556a728
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/mapshape.c b/mapshape.c
@@ -993,7 +993,7 @@ static int msSHPReadAllocateBuffer( SHPHandle psSHP, int hEntity, const char* ps
 {
 
   int nEntitySize = msSHXReadSize(psSHP, hEntity);
-  if( nEntitySize > INT_MAX - 8 ) {
+  if( nEntitySize < 0 || nEntitySize > INT_MAX - 8 ) {
       msSetError(MS_MEMERR, "Out of memory. Cannot allocate %d bytes. Probably broken shapefile at feature %d",
                  pszCallingFunction, nEntitySize, hEntity);
       return(MS_FAILURE);