mapshape: check for negative sizes in msSHPReadAllocateBuffer()

MaxKellermann · MaxKellermann · commit 01ca4389ec64 · 2021-10-05T17:51:29.000+02:00
Yet another buffer overflow found by libFuzzer.
diff --git a/mapshape.c b/mapshape.c
@@ -1019,7 +1019,7 @@ static int msSHPReadAllocateBuffer( SHPHandle psSHP, int hEntity, const char* ps
 {
 
   int nEntitySize = msSHXReadSize(psSHP, hEntity);
-  if( nEntitySize > INT_MAX - 8 ) {
+  if( nEntitySize < 0 || nEntitySize > INT_MAX - 8 ) {
       msSetError(MS_MEMERR, "Out of memory. Cannot allocate %d bytes. Probably broken shapefile at feature %d",
                  pszCallingFunction, nEntitySize, hEntity);
       return(MS_FAILURE);

Original file line number	Diff line number	Diff line change
`@@ -1019,7 +1019,7 @@ static int msSHPReadAllocateBuffer( SHPHandle psSHP, int hEntity, const char* ps`
`1019`	`1019`	`{`
`1020`	`1020`
`1021`	`1021`	`int nEntitySize = msSHXReadSize(psSHP, hEntity);`
`1022`		`- if( nEntitySize > INT_MAX - 8 ) {`
	`1022`	`+ if( nEntitySize < 0 \|\| nEntitySize > INT_MAX - 8 ) {`
`1023`	`1023`	`msSetError(MS_MEMERR, "Out of memory. Cannot allocate %d bytes. Probably broken shapefile at feature %d",`
`1024`	`1024`	`pszCallingFunction, nEntitySize, hEntity);`
`1025`	`1025`	`return(MS_FAILURE);`