Skip to content

Commit ee5d5de

Browse files
MaxKellermannrouault
authored andcommitted
mapxbase: validate nHeadLen
Make sure the "nFields" formula doesn't underflow, leading to a multi-gigabyte memory allocation and probably a heap buffer overflow. Vulnerability found with libFuzzer.
1 parent 5e4c504 commit ee5d5de

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Diff for: mapxbase.c

+7
Original file line numberDiff line numberDiff line change
@@ -204,6 +204,13 @@ DBFHandle msDBFOpen( const char * pszFilename, const char * pszAccess )
204204
psDBF->nHeaderLength = nHeadLen = pabyBuf[8] + pabyBuf[9]*256;
205205
psDBF->nRecordLength = nRecLen = pabyBuf[10] + pabyBuf[11]*256;
206206

207+
if (nHeadLen <= 32) {
208+
VSIFCloseL( psDBF->fp );
209+
msFree(psDBF);
210+
msFree(pabyBuf);
211+
return( NULL );
212+
}
213+
207214
psDBF->nFields = nFields = (nHeadLen - 32) / 32;
208215

209216
psDBF->pszCurrentRecord = (char *) msSmallMalloc(nRecLen);

0 commit comments

Comments
 (0)