Skip to content

Commit

Permalink
oracle - fixing memory handling error
Browse files Browse the repository at this point in the history
If the memory area pointed by table_name is too small, it is resized
multiplying its size by 2. But if this occurs, the tgt variable used in
the "for" loop continues to point on a memory area which might have become
invalid (because the realloc could have moved the memory somewhere else,
depending on how the OS manages the memory).

To fix this, in my understanding, the tgt pointer should be readjusted
to the new location pointed by table_name.

Running valgrind without my patch (sources based on the 7.0.1 version,
but the maporaclespatial.c is identical to master):

==1908== Invalid write of size 1
==1908==    at 0x4E81FEF: msSplitData (in /usr/lib/x86_64-linux-gnu/libmapserver.so.7.0.1)

Tests: runtime tested in a docker composition

Note: valgrinds continues to indicate some errors related to this msSplitData()
method:

==1945== 32,000 bytes in 1 blocks are definitely lost in loss record 264
of 268
==1945==    at 0x4C2AF2E: realloc (vg_replace_malloc.c:692)
==1945==    by 0x4EBDF4B: msSplitData (maporaclespatial.c:404)
==1945==    by 0x4EC90E0: msOracleSpatialLayerTranslateFilter (maporaclespatial.c:3499)

I wonder if in the context of msOracleSpatialLayerTranslateFilter(),
the pointers are still valid when they are actually freed at the end of
the method.
  • Loading branch information
pmauduit authored and tbonfort committed Jan 17, 2017
1 parent 506c173 commit bbe23e8
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions maporaclespatial.c
Original file line number Diff line number Diff line change
Expand Up @@ -399,8 +399,10 @@ static int msSplitData( char *data, char **geometry_column_name, char **table_na
break; /* stop on spaces */
/* double the size of the table_name array if necessary */
if (i == table_name_size) {
size_t tgt_offset = tgt - *table_name;
table_name_size *= 2;
*table_name = (char *) realloc(*table_name,sizeof(char *) * table_name_size);
tgt = *table_name + tgt_offset;
}
*tgt = *src;
}
Expand Down

0 comments on commit bbe23e8

Please sign in to comment.