[Backport branch-8-0] flatgeobuf: fix out of bounds read after index …

…search without results (#7047) This bug has multiple layers. If an index search is performed in msFlatGeobufLayerWhichShapes and the search has no result then flatgeobuf_index_search will set search_result_len to zero but also allocate a buffer for zero results. Such a zero size allocation can return a null pointer or a pointer to a random location. Both cases were problematic. msFlatGeobufLayerNextShape interprets a null pointer as search_result as index was skipped and will try to read all features but the file handle is at the wrong offset if the index was actually used. If search_result was given a non-null pointer msFlatGeobufLayerNextShape will check if there are more results found with the following condition: if (ctx->search_index >= ctx->search_result_len - 1) return MS_DONE; With an empty search the result length is zero and because it is unsigned it will underflow and check return false. As consequence it will read the first search result where none is. The outcome is that item.offset is a random value and either the following seek fails (which results in a maperror) or if it succeeds the following read most likely fails with an EOF (which then produces the correct output by accident and no error) or if the read succeeds the following buffer allocation most likely fails as "too huge" or if that also succeeds decoding of the next feature will most likely fail.
MapServer · Mar 10, 2024 · 465cca7 · 465cca7
1 parent 97fe297
commit 465cca7
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/mapflatgeobuf.c b/mapflatgeobuf.c
@@ -217,10 +217,13 @@ int msFlatGeobufLayerWhichShapes(layerObj *layer, rectObj rect, int isQuery) {
     return MS_DONE;
 
   if (msRectContained(&ctx->bounds, &rect) == MS_FALSE &&
-      ctx->index_node_size > 0)
+      ctx->index_node_size > 0) {
     flatgeobuf_index_search(ctx, &rect);
-  else
+    if (ctx->search_result_len == 0)
+      return MS_DONE;
+  } else {
     flatgeobuf_index_skip(ctx);
+  }
 
   return MS_SUCCESS;
 }

diff --git a/msautotest/misc/expected/flatgeobuf-ocean.png b/msautotest/misc/expected/flatgeobuf-ocean.png
diff --git a/msautotest/misc/flatgeobuf.map b/msautotest/misc/flatgeobuf.map
@@ -5,6 +5,8 @@
 #
 #RUN_PARMS: flatgeobuf-continent.png [MAP2IMG] -m [MAPFILE] -i png -o [RESULT] -l africa-continent
 #RUN_PARMS: flatgeobuf-classes.png [MAP2IMG] -m [MAPFILE] -i png -o [RESULT] -l africa-classes
+# Given extent is fully in the Atlantic Ocean therefore no feature is selected and the result empty
+#RUN_PARMS: flatgeobuf-ocean.png [MAP2IMG] -m [MAPFILE] -i png -e -7 -17 -4 -14 -s 50 50 -o [RESULT] -l africa-continent
 #
 # WFS 1.0.0
 #