[mapserver-commits] r9171 - trunk/mapserver
svn at osgeo.org
svn at osgeo.org
Mon Jul 13 16:22:02 EDT 2009
Author: dmorissette
Date: 2009-07-13 16:22:01 -0400 (Mon, 13 Jul 2009)
New Revision: 9171
Modified:
trunk/mapserver/cgiutil.c
trunk/mapserver/mapserver.h
Log:
Final fix (hopefully) for CVE-2009-0840 (#2943)
Modified: trunk/mapserver/cgiutil.c
===================================================================
--- trunk/mapserver/cgiutil.c 2009-07-13 17:23:57 UTC (rev 9170)
+++ trunk/mapserver/cgiutil.c 2009-07-13 20:22:01 UTC (rev 9171)
@@ -44,7 +44,7 @@
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- unsigned int data_max, data_len;
+ size_t data_max, data_len;
int chunk_size;
msIO_needBinaryStdin();
@@ -53,10 +53,11 @@
/* If the length is provided, read in one gulp. */
/* -------------------------------------------------------------------- */
if( getenv("CONTENT_LENGTH") != NULL ) {
- data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
- if(data_max <= 0) {
+ data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
+ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
+ if( data_max >= SIZE_MAX ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("Content-Length too small.\n");
+ msIO_printf("Suspicious Content-Length.\n");
exit( 1 );
}
data = (char *) malloc(data_max+1);
@@ -79,7 +80,9 @@
/* -------------------------------------------------------------------- */
/* Otherwise read in chunks to the end. */
/* -------------------------------------------------------------------- */
- data_max = 10000;
+#define DATA_ALLOC_SIZE 10000
+
+ data_max = DATA_ALLOC_SIZE;
data_len = 0;
data = (char *) malloc(data_max+1);
@@ -87,7 +90,14 @@
data_len += chunk_size;
if( data_len == data_max ) {
- data_max = data_max + 10000;
+ /* Realloc buffer, making sure we check for possible size_t overflow */
+ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
+ exit(1);
+ }
+
+ data_max = data_max + DATA_ALLOC_SIZE;
data = (char *) realloc(data, data_max+1);
if( data == NULL ) {
Modified: trunk/mapserver/mapserver.h
===================================================================
--- trunk/mapserver/mapserver.h 2009-07-13 17:23:57 UTC (rev 9170)
+++ trunk/mapserver/mapserver.h 2009-07-13 20:22:01 UTC (rev 9171)
@@ -76,6 +76,10 @@
/* definition of ms_int32/ms_uint32 */
#include <limits.h>
+#ifndef _WIN32
+#include <stdint.h>
+#endif
+
#if ULONG_MAX == 0xffffffff
typedef long ms_int32;
typedef unsigned long ms_uint32;
@@ -83,7 +87,6 @@
typedef int ms_int32;
typedef unsigned int ms_uint32;
#else
-#include <stdint.h>
typedef int32_t ms_int32;
typedef uint32_t ms_uint32;
#endif
More information about the mapserver-commits
mailing list