segfault in msSLDApplySLD #4412

relet opened this Issue Aug 2, 2012 · 19 comments


None yet

5 participants

relet commented Aug 2, 2012

In mapserv 6.0.3, I get a segfault

  • in a realloc
  • in one of the three msStringConcatenate instances,
  • in msSLDApplySLD

when trying to apply the SLD file located at using a request like


I'll try to trace it further, but any hints are welcome.

relet commented Aug 2, 2012

I tried to reproduce the issue on a system with debug symbols, and ran into a different segfault in the same method:

#0  0x000000000042c028 in strlcat (dst=0x7fffffffd410 " (\"f_code\"= '", src=0x0, siz=1024) at mapstring.c:156
#1  0x00000000004b60b3 in FLTGetBinaryComparisonSQLExpresssion (psFilterNode=0xc3d360, lp=0x7dfa40) at mapogcfilter.c:2589
#2  0x00000000004b4ab2 in FLTGetSQLExpression (psFilterNode=0xc3d360, lp=0x7dfa40) at mapogcfilter.c:2044
#3  0x00000000005452ca in msSLDApplySLD (map=0x7d7100, 
    psSLDXML=0x7ffff7f73010 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<sld:StyledLayerDescriptor version=\"1.1.0\"\r\n  xmlns=\"\"\r\n  xmlns:sld=\"\"\r\n  xmlns:se=\""..., iLayer=-1, 
    pszStyleLayerName=0x0) at mapogcsld.c:414
#4  0x0000000000543d80 in msSLDApplySLDURL (map=0x7d7100, szURL=0x7d7080 "", iLayer=-1, 
    pszStyleLayerName=0x0) at mapogcsld.c:102
#5  0x00000000005094e3 in msWMSLoadGetMapParams (map=0x7d7100, nVersion=66304, names=0x7d5de0, values=0x7d6110, numentries=14, 
    wms_exception_format=0x0, wms_request=0x7d66b0 "GetMap", ows_request=0x7fffffffe170) at mapwms.c:1082
#6  0x00000000005139cc in msWMSDispatch (map=0x7d7100, req=0x7d5da0, ows_request=0x7fffffffe170, force_wms_mode=0) at mapwms.c:4144
#7  0x0000000000492126 in msOWSDispatch (map=0x7d7100, request=0x7d5da0, ows_mode=-1) at mapows.c:76
#8  0x00000000004142c2 in main (argc=2, argv=0x7fffffffe7b8) at mapserv.c:1242
relet commented Aug 3, 2012

Confirmed in trunk:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a7aec8 in strlcat (dst=0x7fffffffd710 " (\"f_code\"= '", src=0x0, siz=1024) at mapstring.c:156
156   while (*s != '\0') {
relet commented Aug 3, 2012

Ok, the latter two seem to be caused by the SLD methods not expecting errors (and null strings) to be returned when processing SQL expressions; and segfaulting badly. (e.g. "PostGIS support not available").

Going to enable postgis and trace the original bug now. ;)

relet commented Aug 3, 2012

The same seems to happen for the error "String failed expression test" in 6.0.3 and trunk.

tbonfort commented Aug 3, 2012

can you provide a mapfile and request that triggers the segfault, I'll try to have a look. See also #4407 and #4387, which may be related.

relet commented Aug 3, 2012

One more trace with realloc in FLTIsNumeric. The problems seem to be related, although I'm not sure at which point the input string GB005 would have run through msStringConcatenate.

We'll try to distill a smaller file that reproduces the error.

#0  0x00007ffff50dbc93 in _int_malloc () from /lib64/
#1  0x00007ffff50ddc6a in _int_realloc () from /lib64/
#2  0x00007ffff50ddf85 in realloc () from /lib64/
#3  0x00007ffff51192a6 in re_node_set_merge () from /lib64/
#4  0x00007ffff511d645 in calc_eclosure_iter () from /lib64/
#5  0x00007ffff511d71b in calc_eclosure_iter () from /lib64/
#6  0x00007ffff512e007 in re_compile_internal () from /lib64/
#7  0x00007ffff512f26f in regcomp () from /lib64/
#8  0x00000000004c1636 in ms_regcomp (regex=0x7fffffffd2b0, expr=0x588a28 "^[-+]?[0-9]*\\.?[0-9]+([eE][-+]?[0-9]+)?$", cflags=5)
    at mapregex.c:61
#9  0x000000000042fab4 in msEvalRegex (e=0x588a28 "^[-+]?[0-9]*\\.?[0-9]+([eE][-+]?[0-9]+)?$", s=0xbda950 "GB005") at mapfile.c:127
#10 0x00000000004b0dce in FLTIsNumeric (pszValue=0xbda950 "GB005") at mapogcfilter.c:73
#11 0x00000000004b63bc in FLTGetBinaryComparisonSQLExpresssion (psFilterNode=0x8d7950, lp=0x804970) at mapogcfilter.c:2508
#12 0x00000000004b51c6 in FLTGetSQLExpression (psFilterNode=0x8d7950, lp=0x804970) at mapogcfilter.c:2044
#13 0x000000000054c74a in msSLDApplySLD (map=0x7e3b70, 
    psSLDXML=0x7ffff7f68010 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<sld:StyledLayerDescriptor version=\"1.1.0\"\r\n  xmlns=\"\"\r\n  xmlns:sld=\"\"\r\n  xmlns:se=\""..., iLayer=-1, pszStyleLayerName=0x0)
    at mapogcsld.c:414
#14 0x000000000054b200 in msSLDApplySLDURL (map=0x7e3b70, szURL=0x7e3af0 "", iLayer=-1, 
    pszStyleLayerName=0x0) at mapogcsld.c:102
#15 0x0000000000510963 in msWMSLoadGetMapParams (map=0x7e3b70, nVersion=66304, names=0x7e2830, values=0x7e2b60, numentries=14, 
    wms_exception_format=0x0, wms_request=0x7e3100 "GetMap", ows_request=0x7fffffffe170) at mapwms.c:1082
#16 0x000000000051ae4c in msWMSDispatch (map=0x7e3b70, req=0x7e27f0, ows_request=0x7fffffffe170, force_wms_mode=0) at mapwms.c:4144
#17 0x000000000049283a in msOWSDispatch (map=0x7e3b70, request=0x7e27f0, ows_mode=-1) at mapows.c:76
#18 0x00000000004149c2 in main (argc=2, argv=0x7fffffffe7b8) at mapserv.c:1242
@tbonfort tbonfort was assigned Aug 6, 2012
tbonfort commented Aug 6, 2012

I'm unable to import your db dump, it has dependencies on contrib modules which I am not motivated enough to resolve.

Fair enough Thomas, sorry about that, I'll try and again and make sure it's importable without dependencies.

@tbonfort New example at . Just need to create a new db called slderror on a postgistemplate to import everything into. I get a couple of errors on the geometry_columns table related to the pk but everything imports ok for me and the data is fine.

tbonfort commented Aug 7, 2012

I have committed a fix in 92c9ed0 that solves the segfault. This issue can now be closed, however the SLD you are using is still failing due to issues related to #3929 and #3983

@tbonfort tbonfort closed this Aug 7, 2012

trying to use this testcase to reproduce 3983... but getting a segfault if I add the SLD=http://mapserver-dev/mapserver/bugs/4412/slderror_sld.xml parameter. I'm just getting this error from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00007fffefb34760 in ssl3_ciphers () from /lib/

any hint?


@aboudreault: Valgrind?


the error seems strange... not sure what's wrong with my build:

2281        layerinfo->pgconn = PQconnectdb(conn_decrypted);
(gdb) p conn_decrypted
$5 = 0x65ed50 "host=postgresql dbname=slderror user=postgres password=postgres port=5433"
(gdb) p layerinfo->pgconn
$6 = (PGconn *) 0x0
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x00007fffefb34760 in ssl3_ciphers () from /lib/

After further investigation... it looks like I can't do much for now about this issue. I'm experiencing this ecryptfs bug: ... staying in touch with the ticket and the developer on freenode...


@aboudreault #4412 is fixed, the real issue is visible in #3929 and is related to erroneous calls to msStringEscape() and probably not related to postgres only.


@tbonfort yes but I do not have any other SLD testcase in hand and I know very little about it to make one myself


@aboudreault you can reproduce this in msautotest/wxs :

/usr/local/bin/mapserv QUERY_STRING=",42,-58.375,48.5&FORMAT=image/png; mode=24bit&WIDTH=300&HEIGHT=200&STYLES=&LAYERS=road&sld_body=<StyledLayerDescriptor version='1.0.0'><NamedLayer><Name>road</Name><UserStyle><Title>xxx</Title><FeatureTypeStyle><Rule><Filter><Or><PropertyIsLike+wildCard='*'+singleChar='.'+escape='!'><PropertyName>NAME_E</PropertyName><Literal>Trans*</Literal></PropertyIsLike><PropertyIsLessThan><PropertyName>ROAD_ID</PropertyName><Literal>100</Literal></PropertyIsLessThan></Or></Filter><LineSymbolizer><Geometry><PropertyName>center-line</PropertyName></Geometry><Stroke><CssParameter name='stroke'>#0000ff</CssParameter><CssParameter name='stroke-width'>2.0</CssParameter></Stroke></LineSymbolizer></Rule></FeatureTypeStyle></UserStyle></NamedLayer></StyledLayerDescriptor>"
@tbonfort tbonfort reopened this Aug 21, 2012
@tbonfort tbonfort closed this Aug 21, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment