Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mapshape: fix buffer overflow in msSHPReadShape()
The data in panParts is never checked. The only check was "numpoints<=0", but that is not enough. Three very bad things can happen: - arbitrary huge values, leading to allocations of up to two billion elements (INT_MAX), bypassing the 50 million limit which was previously put on "nPoints" - overflowing the "pabyRec" buffer in the memcpy() call - integer overflow in the malloc() call, writing past the allocated buffer The latter is probably enough for remote code execution. Vulnerability found with libFuzzer.
- Loading branch information