Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
mapxbase: validate nHeadLen
Make sure the "nFields" formula doesn't underflow, leading to a
multi-gigabyte memory allocation and probably a heap buffer overflow.

Vulnerability found with libFuzzer.
  • Loading branch information
MaxKellermann authored and rouault committed May 4, 2021
1 parent 5e4c504 commit ee5d5de
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions mapxbase.c
Expand Up @@ -204,6 +204,13 @@ DBFHandle msDBFOpen( const char * pszFilename, const char * pszAccess )
psDBF->nHeaderLength = nHeadLen = pabyBuf[8] + pabyBuf[9]*256;
psDBF->nRecordLength = nRecLen = pabyBuf[10] + pabyBuf[11]*256;

if (nHeadLen <= 32) {
VSIFCloseL( psDBF->fp );
msFree(psDBF);
msFree(pabyBuf);
return( NULL );
}

psDBF->nFields = nFields = (nHeadLen - 32) / 32;

psDBF->pszCurrentRecord = (char *) msSmallMalloc(nRecLen);
Expand Down

0 comments on commit ee5d5de

Please sign in to comment.