Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
mapshape: validate numshapes
If the value is implausible, refuse to parse the file, because that
value will be used later in memory allocations.  I used the same limit
as in msSHPOpen().

DoS vulnerability found with libFuzzer.
  • Loading branch information
MaxKellermann authored and rouault committed May 4, 2021
1 parent 9755395 commit b5c0e29
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions mapshape.c
Expand Up @@ -1726,6 +1726,14 @@ int msShapefileOpen(shapefileObj *shpfile, const char *mode, const char *filenam

/* load some information about this shapefile */
msSHPGetInfo( shpfile->hSHP, &shpfile->numshapes, &shpfile->type);

if( shpfile->numshapes < 0 || shpfile->numshapes > 256000000 ) {
msSetError(MS_SHPERR, "Corrupted .shp file : numshapes = %d.",
"msShapefileOpen()", shpfile->numshapes);
msSHPClose(shpfile->hSHP);
return -1;
}

msSHPReadBounds( shpfile->hSHP, -1, &(shpfile->bounds));

bufferSize = strlen(filename)+5;
Expand Down

0 comments on commit b5c0e29

Please sign in to comment.