[mapserver-commits] r9802 - branches/branch-5-4/mapserver

[svn at osgeo.org]

Author: pramsey
Date: 2010-02-18 14:27:18 -0500 (Thu, 18 Feb 2010)
New Revision: 9802

Modified:
   branches/branch-5-4/mapserver/HISTORY.TXT
   branches/branch-5-4/mapserver/mappostgis.c
Log:
Avoid memory error when building SQL bbox (#3324)


Modified: branches/branch-5-4/mapserver/HISTORY.TXT
===================================================================
--- branches/branch-5-4/mapserver/HISTORY.TXT	2010-02-18 06:16:03 UTC (rev 9801)
+++ branches/branch-5-4/mapserver/HISTORY.TXT	2010-02-18 19:27:18 UTC (rev 9802)
@@ -14,6 +14,8 @@
 Current Version:
 ----------------
 
+- Avoid memory error when building SQL bbox (#3324)
+
 - Determine PgSQL version in a more backwards compatible way (#3291)
 
 - Fixed use of minfeaturesize auto with curved labels (#3151)

Modified: branches/branch-5-4/mapserver/mappostgis.c
===================================================================
--- branches/branch-5-4/mapserver/mappostgis.c	2010-02-18 06:16:03 UTC (rev 9801)
+++ branches/branch-5-4/mapserver/mappostgis.c	2010-02-18 19:27:18 UTC (rev 9802)
@@ -913,32 +913,44 @@
 char *msPostGISBuildSQLBox(layerObj *layer, rectObj *rect, char *strSRID) {
 
     char *strBox = NULL;
+    size_t sz;
 
     if (layer->debug) {
         msDebug("msPostGISBuildSQLBox called.\n");
     }
 
     if ( strSRID ) {
-        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g))',%s)";
+        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f))',%s)";
         /* 10 doubles + 1 integer + template characters */
-        strBox = (char*)malloc(10 * 15 + strlen(strSRID) + strlen(strBoxTemplate));
-        sprintf(strBox, strBoxTemplate,
+        sz = 10 * 15 + strlen(strSRID) + strlen(strBoxTemplate);
+        strBox = (char*)malloc(sz+1); /* add space for terminating NULL */
+        if ( sz <= snprintf(strBox, sz, strBoxTemplate,
                 rect->minx, rect->miny,
                 rect->minx, rect->maxy,
                 rect->maxx, rect->maxy,
                 rect->maxx, rect->miny,
                 rect->minx, rect->miny,
-                strSRID);
+                strSRID) )
+	{
+        	msSetError(MS_MISCERR,"Bounding box digits truncated.","msPostGISBuildSQLBox");
+        	return 0;
+	}
     } else {
-        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g))')";
+        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f))')";
         /* 10 doubles + template characters */
-        strBox = (char*)malloc(10 * 15 + strlen(strBoxTemplate));
-        sprintf(strBox, strBoxTemplate,
+        sz = 10 * 15 + strlen(strBoxTemplate);
+        strBox = (char*)malloc(sz+1); /* add space for terminating NULL */
+        if ( sz <= snprintf(strBox, sz, strBoxTemplate,
                 rect->minx, rect->miny,
                 rect->minx, rect->maxy,
                 rect->maxx, rect->maxy,
                 rect->maxx, rect->miny,
-                rect->minx, rect->miny);
+                rect->minx, rect->miny) )
+	{
+        	msSetError(MS_MISCERR,"Bounding box digits truncated.","msPostGISBuildSQLBox");
+        	return 0;
+	}
+	
     }
 
     return strBox;