mapxbase: validate nHeadLen

Make sure the "nFields" formula doesn't underflow, leading to a multi-gigabyte memory allocation and probably a heap buffer overflow. Vulnerability found with libFuzzer.
MapServer · May 4, 2021 · ee5d5de · ee5d5de
1 parent 5e4c504
commit ee5d5de
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/mapxbase.c b/mapxbase.c
@@ -204,6 +204,13 @@ DBFHandle msDBFOpen( const char * pszFilename, const char * pszAccess )
   psDBF->nHeaderLength = nHeadLen = pabyBuf[8] + pabyBuf[9]*256;
   psDBF->nRecordLength = nRecLen = pabyBuf[10] + pabyBuf[11]*256;
 
+  if (nHeadLen <= 32) {
+    VSIFCloseL( psDBF->fp );
+    msFree(psDBF);
+    msFree(pabyBuf);
+    return( NULL );
+  }
+
   psDBF->nFields = nFields = (nHeadLen - 32) / 32;
 
   psDBF->pszCurrentRecord = (char *) msSmallMalloc(nRecLen);