[mapserver-commits] r9171 - trunk/mapserver

[svn at osgeo.org]

Author: dmorissette
Date: 2009-07-13 16:22:01 -0400 (Mon, 13 Jul 2009)
New Revision: 9171

Modified:
   trunk/mapserver/cgiutil.c
   trunk/mapserver/mapserver.h
Log:
Final fix (hopefully) for CVE-2009-0840 (#2943)

Modified: trunk/mapserver/cgiutil.c
===================================================================
--- trunk/mapserver/cgiutil.c	2009-07-13 17:23:57 UTC (rev 9170)
+++ trunk/mapserver/cgiutil.c	2009-07-13 20:22:01 UTC (rev 9171)
@@ -44,7 +44,7 @@
 static char *readPostBody( cgiRequestObj *request ) 
 {
   char *data; 
-  unsigned int data_max, data_len;
+  size_t data_max, data_len;
   int chunk_size;
 
   msIO_needBinaryStdin();
@@ -53,10 +53,11 @@
   /*      If the length is provided, read in one gulp.                    */
   /* -------------------------------------------------------------------- */
   if( getenv("CONTENT_LENGTH") != NULL ) {
-    data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
-    if(data_max <= 0) {
+    data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
+    /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
+    if( data_max >= SIZE_MAX ) {
       msIO_printf("Content-type: text/html%c%c",10,10);
-      msIO_printf("Content-Length too small.\n");
+      msIO_printf("Suspicious Content-Length.\n");
       exit( 1 );
     }
     data = (char *) malloc(data_max+1);
@@ -79,7 +80,9 @@
   /* -------------------------------------------------------------------- */
   /*      Otherwise read in chunks to the end.                            */
   /* -------------------------------------------------------------------- */
-  data_max = 10000;
+#define DATA_ALLOC_SIZE 10000
+
+  data_max = DATA_ALLOC_SIZE;
   data_len = 0;
   data = (char *) malloc(data_max+1);
 
@@ -87,7 +90,14 @@
     data_len += chunk_size;
 
     if( data_len == data_max ) {
-      data_max = data_max + 10000;
+      /* Realloc buffer, making sure we check for possible size_t overflow */
+        if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) {
+        msIO_printf("Content-type: text/html%c%c",10,10);
+        msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
+        exit(1);
+      }
+
+      data_max = data_max + DATA_ALLOC_SIZE;
       data = (char *) realloc(data, data_max+1);
 
       if( data == NULL ) {

Modified: trunk/mapserver/mapserver.h
===================================================================
--- trunk/mapserver/mapserver.h	2009-07-13 17:23:57 UTC (rev 9170)
+++ trunk/mapserver/mapserver.h	2009-07-13 20:22:01 UTC (rev 9171)
@@ -76,6 +76,10 @@
 
 /* definition of  ms_int32/ms_uint32 */
 #include <limits.h>
+#ifndef _WIN32
+#include <stdint.h>
+#endif
+
 #if ULONG_MAX == 0xffffffff
 typedef long            ms_int32;
 typedef unsigned long   ms_uint32;
@@ -83,7 +87,6 @@
 typedef int             ms_int32;
 typedef unsigned int    ms_uint32;
 #else
-#include <stdint.h>
 typedef int32_t         ms_int32;
 typedef uint32_t        ms_uint32;
 #endif