Skip to content

Commit

Permalink
mapshape: validate numshapes
Browse files Browse the repository at this point in the history 
If the value is implausible, refuse to parse the file, because that
value will be used later in memory allocations.  I used the same limit
as in msSHPOpen().

DoS vulnerability found with libFuzzer.
  • Loading branch information
@MaxKellermann @rouault
MaxKellermann authored and rouault committed May 4, 2021
1 parent 9755395 commit b5c0e29
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions mapshape.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1726,6 +1726,14 @@ int msShapefileOpen(shapefileObj *shpfile, const char *mode, const char *filenam

/* load some information about this shapefile */
msSHPGetInfo( shpfile->hSHP, &shpfile->numshapes, &shpfile->type);

if( shpfile->numshapes < 0 || shpfile->numshapes > 256000000 ) {
msSetError(MS_SHPERR, "Corrupted .shp file : numshapes = %d.",
"msShapefileOpen()", shpfile->numshapes);
msSHPClose(shpfile->hSHP);
return -1;
}

msSHPReadBounds( shpfile->hSHP, -1, &(shpfile->bounds));

bufferSize = strlen(filename)+5;
Expand Down

0 comments on commit b5c0e29

Please sign in to comment.