Browse files

oracle - fixing memory handling error

If the memory area pointed by table_name is too small, it is resized
multiplying its size by 2. But if this occurs, the tgt variable used in
the "for" loop continues to point on a memory area which might have become
invalid (because the realloc could have moved the memory somewhere else,
depending on how the OS manages the memory).

To fix this, in my understanding, the tgt pointer should be readjusted
to the new location pointed by table_name.

Running valgrind without my patch (sources based on the 7.0.1 version,
but the maporaclespatial.c is identical to master):

==1908== Invalid write of size 1
==1908==    at 0x4E81FEF: msSplitData (in /usr/lib/x86_64-linux-gnu/

Tests: runtime tested in a docker composition

Note: valgrinds continues to indicate some errors related to this msSplitData()

==1945== 32,000 bytes in 1 blocks are definitely lost in loss record 264
of 268
==1945==    at 0x4C2AF2E: realloc (vg_replace_malloc.c:692)
==1945==    by 0x4EBDF4B: msSplitData (maporaclespatial.c:404)
==1945==    by 0x4EC90E0: msOracleSpatialLayerTranslateFilter (maporaclespatial.c:3499)

I wonder if in the context of msOracleSpatialLayerTranslateFilter(),
the pointers are still valid when they are actually freed at the end of
the method.
  • Loading branch information...
pmauduit authored and tbonfort committed Jan 17, 2017
1 parent 506c173 commit bbe23e8c0b9cce174dc3ff313e3e5d3560c1e62b
Showing with 2 additions and 0 deletions.
  1. +2 −0 maporaclespatial.c
@@ -399,8 +399,10 @@ static int msSplitData( char *data, char **geometry_column_name, char **table_na
break; /* stop on spaces */
/* double the size of the table_name array if necessary */
if (i == table_name_size) {
size_t tgt_offset = tgt - *table_name;
table_name_size *= 2;
*table_name = (char *) realloc(*table_name,sizeof(char *) * table_name_size);
tgt = *table_name + tgt_offset;
*tgt = *src;

0 comments on commit bbe23e8

Please sign in to comment.