Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mapshape: fix buffer overflow in msSHPReadShape()
The data in panParts is never checked. There are checks for "numpoints<=0" and "numpoints>nPoints" (the latter added by commit fcf13d8), but that is not enough. It is still possible to overflow the "pabyRec" buffer by repeatedly reading "nPoints". The code allows each single iteration to read "nPoints". Vulnerability found with libFuzzer.
- Loading branch information