[mapserver-commits] r9175 - branches/branch-4-10/mapserver
svn at osgeo.org
svn at osgeo.org
Mon Jul 13 17:02:54 EDT 2009
Author: dmorissette
Date: 2009-07-13 17:02:54 -0400 (Mon, 13 Jul 2009)
New Revision: 9175
Modified:
branches/branch-4-10/mapserver/HISTORY.TXT
branches/branch-4-10/mapserver/cgiutil.c
branches/branch-4-10/mapserver/map.h
Log:
New fix for incomplete CVE-2009-0840 security fix made in 4.10.4 (#2943)
Modified: branches/branch-4-10/mapserver/HISTORY.TXT
===================================================================
--- branches/branch-4-10/mapserver/HISTORY.TXT 2009-07-13 20:42:17 UTC (rev 9174)
+++ branches/branch-4-10/mapserver/HISTORY.TXT 2009-07-13 21:02:54 UTC (rev 9175)
@@ -10,6 +10,11 @@
For a complete change history, please see the Subversion log comments.
+Current Version (SVN branch, may never be released):
+----------------------------------------------------
+
+- New fix for incomplete CVE-2009-0840 security fix made in 4.10.4 (#2943)
+
Version 4.10.4 (2009-03-26)
---------------------------
Modified: branches/branch-4-10/mapserver/cgiutil.c
===================================================================
--- branches/branch-4-10/mapserver/cgiutil.c 2009-07-13 20:42:17 UTC (rev 9174)
+++ branches/branch-4-10/mapserver/cgiutil.c 2009-07-13 21:02:54 UTC (rev 9175)
@@ -69,7 +69,7 @@
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- unsigned int data_max, data_len;
+ size_t data_max, data_len;
int chunk_size;
msIO_needBinaryStdin();
@@ -80,7 +80,14 @@
if( getenv("CONTENT_LENGTH") != NULL )
{
- data_max = atoi(getenv("CONTENT_LENGTH"));
+ data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
+ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
+ if( data_max >= SIZE_MAX )
+ {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+ msIO_printf("Suspicious Content-Length.\n");
+ exit( 1 );
+ }
data = (char *) malloc(data_max+1);
if( data == NULL )
{
@@ -102,7 +109,9 @@
/* -------------------------------------------------------------------- */
/* Otherwise read in chunks to the end. */
/* -------------------------------------------------------------------- */
- data_max = 10000;
+#define DATA_ALLOC_SIZE 10000
+
+ data_max = DATA_ALLOC_SIZE;
data_len = 0;
data = (char *) malloc(data_max+1);
@@ -113,7 +122,15 @@
if( data_len == data_max )
{
- data_max = data_max + 10000;
+ /* Realloc buffer, making sure we check for possible size_t overflow */
+ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) )
+ {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
+ exit(1);
+ }
+
+ data_max = data_max + DATA_ALLOC_SIZE;
data = (char *) realloc(data, data_max+1);
if( data == NULL )
Modified: branches/branch-4-10/mapserver/map.h
===================================================================
--- branches/branch-4-10/mapserver/map.h 2009-07-13 20:42:17 UTC (rev 9174)
+++ branches/branch-4-10/mapserver/map.h 2009-07-13 21:02:54 UTC (rev 9175)
@@ -48,6 +48,7 @@
#include <malloc.h>
#else
#include <unistd.h>
+#include <stdint.h>
#endif
#ifndef DISABLE_CVSID
More information about the mapserver-commits
mailing list