[mapserver-commits] r9174 - branches/branch-5-0/mapserver
svn at osgeo.org
svn at osgeo.org
Mon Jul 13 16:42:18 EDT 2009
Author: dmorissette
Date: 2009-07-13 16:42:17 -0400 (Mon, 13 Jul 2009)
New Revision: 9174
Modified:
branches/branch-5-0/mapserver/HISTORY.TXT
branches/branch-5-0/mapserver/cgiutil.c
branches/branch-5-0/mapserver/mapserver.h
Log:
Fix for CVE-2009-0840 security vulnerability (#2943)
Modified: branches/branch-5-0/mapserver/HISTORY.TXT
===================================================================
--- branches/branch-5-0/mapserver/HISTORY.TXT 2009-07-13 20:34:07 UTC (rev 9173)
+++ branches/branch-5-0/mapserver/HISTORY.TXT 2009-07-13 20:42:17 UTC (rev 9174)
@@ -10,6 +10,11 @@
For a complete change history, please see the Subversion log comments.
+Current Version (SVN branch, may never be released):
+----------------------------------------------------
+
+- Fix for CVE-2009-0840 security vulnerability (#2943)
+
Version 5.0.3 (2008-06-04)
--------------------------
Modified: branches/branch-5-0/mapserver/cgiutil.c
===================================================================
--- branches/branch-5-0/mapserver/cgiutil.c 2009-07-13 20:34:07 UTC (rev 9173)
+++ branches/branch-5-0/mapserver/cgiutil.c 2009-07-13 20:42:17 UTC (rev 9174)
@@ -1,4 +1,5 @@
/******************************************************************************
+ * $Id$
*
* Project: MapServer
* Purpose: cgiRequestObj and CGI parameter parsing.
@@ -41,7 +42,8 @@
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- int data_max, data_len, chunk_size;
+ size_t data_max, data_len;
+ int chunk_size;
msIO_needBinaryStdin();
@@ -49,11 +51,17 @@
/* If the length is provided, read in one gulp. */
/* -------------------------------------------------------------------- */
if( getenv("CONTENT_LENGTH") != NULL ) {
- data_max = atoi(getenv("CONTENT_LENGTH"));
+ data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
+ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
+ if( data_max >= SIZE_MAX ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+ msIO_printf("Suspicious Content-Length.\n");
+ exit( 1 );
+ }
data = (char *) malloc(data_max+1);
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
+ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
exit( 1 );
}
@@ -70,7 +78,9 @@
/* -------------------------------------------------------------------- */
/* Otherwise read in chunks to the end. */
/* -------------------------------------------------------------------- */
- data_max = 10000;
+#define DATA_ALLOC_SIZE 10000
+
+ data_max = DATA_ALLOC_SIZE;
data_len = 0;
data = (char *) malloc(data_max+1);
@@ -78,12 +88,19 @@
data_len += chunk_size;
if( data_len == data_max ) {
- data_max = data_max + 10000;
+ /* Realloc buffer, making sure we check for possible size_t overflow */
+ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
+ exit(1);
+ }
+
+ data_max = data_max + DATA_ALLOC_SIZE;
data = (char *) realloc(data, data_max+1);
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
+ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
exit(1);
}
}
Modified: branches/branch-5-0/mapserver/mapserver.h
===================================================================
--- branches/branch-5-0/mapserver/mapserver.h 2009-07-13 20:34:07 UTC (rev 9173)
+++ branches/branch-5-0/mapserver/mapserver.h 2009-07-13 20:42:17 UTC (rev 9174)
@@ -65,6 +65,10 @@
/* definition of ms_int32/ms_uint32 */
#include <limits.h>
+#ifndef _WIN32
+#include <stdint.h>
+#endif
+
#if ULONG_MAX == 0xffffffff
typedef long ms_int32;
typedef unsigned long ms_uint32;
@@ -72,7 +76,6 @@
typedef int ms_int32;
typedef unsigned int ms_uint32;
#else
-#include <stdint.h>
typedef int32_t ms_int32;
typedef uint32_t ms_uint32;
#endif
More information about the mapserver-commits
mailing list