Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport branch-8-0] flatgeobuf: fix out of bounds read after index …
…search without results (#7047) This bug has multiple layers. If an index search is performed in msFlatGeobufLayerWhichShapes and the search has no result then flatgeobuf_index_search will set search_result_len to zero but also allocate a buffer for zero results. Such a zero size allocation can return a null pointer or a pointer to a random location. Both cases were problematic. msFlatGeobufLayerNextShape interprets a null pointer as search_result as index was skipped and will try to read all features but the file handle is at the wrong offset if the index was actually used. If search_result was given a non-null pointer msFlatGeobufLayerNextShape will check if there are more results found with the following condition: if (ctx->search_index >= ctx->search_result_len - 1) return MS_DONE; With an empty search the result length is zero and because it is unsigned it will underflow and check return false. As consequence it will read the first search result where none is. The outcome is that item.offset is a random value and either the following seek fails (which results in a maperror) or if it succeeds the following read most likely fails with an EOF (which then produces the correct output by accident and no error) or if the read succeeds the following buffer allocation most likely fails as "too huge" or if that also succeeds decoding of the next feature will most likely fail.
- Loading branch information