mapshape: fix buffer overflow in msSHPReadShape()

The data in panParts is never checked. There are checks for "numpoints<=0" and "numpoints>nPoints" (the latter added by commit fcf13d8), but that is not enough. It is still possible to overflow the "pabyRec" buffer by repeatedly reading "nPoints". The code allows each single iteration to read "nPoints". Vulnerability found with libFuzzer.
MapServer · Oct 5, 2021 · 930cdf0 · 930cdf0
1 parent e110cf4
commit 930cdf0
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/mapshape.c b/mapshape.c
@@ -1347,11 +1347,12 @@ void msSHPReadShape( SHPHandle psSHP, int hEntity, shapeObj *shape )
 
     k = 0; /* overall point counter */
     for( i = 0; i < nParts; i++) {
-      if( i == nParts-1)
-        shape->line[i].numpoints = nPoints - psSHP->panParts[i];
-      else
-        shape->line[i].numpoints = psSHP->panParts[i+1] - psSHP->panParts[i];
-      if (shape->line[i].numpoints <= 0 || shape->line[i].numpoints > nPoints) {
+      const ms_int32 end = i == nParts - 1
+        ? nPoints
+        : psSHP->panParts[i+1];
+      shape->line[i].numpoints = end - psSHP->panParts[i];
+      if (psSHP->panParts[i] < 0 || end < 0 || end > nPoints ||
+          psSHP->panParts[i] >= end) {
         msSetError(MS_SHPERR, "Corrupted .shp file : shape %d, shape->line[%d].numpoints=%d", "msSHPReadShape()",
                    hEntity, i, shape->line[i].numpoints);
         while(--i >= 0)