mapshape: fix buffer overflow in msSHPReadShape()

The data in panParts is never checked. The only check was "numpoints<=0", but that is not enough. Three very bad things can happen: - arbitrary huge values, leading to allocations of up to two billion elements (INT_MAX), bypassing the 50 million limit which was previously put on "nPoints" - overflowing the "pabyRec" buffer in the memcpy() call - integer overflow in the malloc() call, writing past the allocated buffer The latter is probably enough for remote code execution. Vulnerability found with libFuzzer.
MapServer · Oct 5, 2021 · 89b4448 · 89b4448
1 parent 78d9fe2
commit 89b4448
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/mapshape.c b/mapshape.c
@@ -1372,11 +1372,12 @@ void msSHPReadShape( SHPHandle psSHP, int hEntity, shapeObj *shape )
 
     k = 0; /* overall point counter */
     for( i = 0; i < nParts; i++) {
-      if( i == nParts-1)
-        shape->line[i].numpoints = nPoints - psSHP->panParts[i];
-      else
-        shape->line[i].numpoints = psSHP->panParts[i+1] - psSHP->panParts[i];
-      if (shape->line[i].numpoints <= 0) {
+      const ms_int32 end = i == nParts - 1
+        ? nPoints
+        : psSHP->panParts[i+1];
+      shape->line[i].numpoints = end - psSHP->panParts[i];
+      if (psSHP->panParts[i] < 0 || end < 0 || end > nPoints ||
+          psSHP->panParts[i] >= end) {
         msSetError(MS_SHPERR, "Corrupted .shp file : shape %d, shape->line[%d].numpoints=%d", "msSHPReadShape()",
                    hEntity, i, shape->line[i].numpoints);
         while(--i >= 0)