Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow / memory leak in mapuvraster.c #5148

Closed

Conversation

gogglesguy
Copy link
Contributor

@gogglesguy gogglesguy commented Aug 21, 2015

Using uvlinfo->height instead of uvlinfo->width will either get you a buffer overflow or memory leak depending on whether width or height is larger.

gogglesguy added 4 commits Aug 21, 2015
itemindexes gets freshly allocated and never gets any -1 assignment. Use else instead.
In the first LayerOpen call, data gets alloacted and refcount gets initialized to 1. Calling LayerClose should do the opposite, however comparing refcount < 0 requires an additional LayerClose. Use refcount < 1 instead.
@sdlime
Copy link
Member

sdlime commented Aug 21, 2015

@dmorissette, something you can look at?

@gogglesguy
Copy link
Contributor Author

gogglesguy commented Aug 21, 2015

So checking for -1 for itemindexes on a uninitialized array was wrong. Returning from the item loop early in msUVRASTERLayerInitItemInfo would result in uninitialized values in itemindexes and eventually propagated to values as well. Perhaps because msUVRASTERLayerGetItems was never called?

@gogglesguy
Copy link
Contributor Author

gogglesguy commented Aug 24, 2015

Although the testsuit fails (it no longer crashes, yay!), i believe the output images look fine. I'm sure @dmorissette can take a look at this :)

@dmorissette
Copy link
Contributor

dmorissette commented Sep 3, 2015

I hate to be blocking this but don't think I'll be able to look into this anytime soon. As I'm not the author of the code anyway, any other committer would be as good as me to reproduce/test and validate the fix

@tbonfort
Copy link
Member

tbonfort commented Sep 8, 2015

applied/squashed in d6d3432, thanks

@tbonfort tbonfort closed this Sep 8, 2015
@dmorissette
Copy link
Contributor

dmorissette commented Sep 8, 2015

Thank you @tbonfort

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants