[mapserver-commits] r9803 - branches/branch-5-6/mapserver

[svn at osgeo.org]

Author: pramsey
Date: 2010-02-18 14:28:12 -0500 (Thu, 18 Feb 2010)
New Revision: 9803

Modified:
   branches/branch-5-6/mapserver/HISTORY.TXT
   branches/branch-5-6/mapserver/mappostgis.c
Log:
Avoid memory error when building SQL bbox (#3324)



Modified: branches/branch-5-6/mapserver/HISTORY.TXT
===================================================================
--- branches/branch-5-6/mapserver/HISTORY.TXT	2010-02-18 19:27:18 UTC (rev 9802)
+++ branches/branch-5-6/mapserver/HISTORY.TXT	2010-02-18 19:28:12 UTC (rev 9803)
@@ -15,6 +15,8 @@
 Current Version (SVN branch-5-6):
 --------------------------------
 
+- Avoid memory error when building SQL bbox (#3324)
+
 - Determine PgSQL version in a more backwards compatible way (#3291)
 
 - Implemented RFC 52 LayerResultsGetShape support for OGR connection type. (#3069)

Modified: branches/branch-5-6/mapserver/mappostgis.c
===================================================================
--- branches/branch-5-6/mapserver/mappostgis.c	2010-02-18 19:27:18 UTC (rev 9802)
+++ branches/branch-5-6/mapserver/mappostgis.c	2010-02-18 19:28:12 UTC (rev 9803)
@@ -912,32 +912,44 @@
 char *msPostGISBuildSQLBox(layerObj *layer, rectObj *rect, char *strSRID) {
 
     char *strBox = NULL;
+    size_t sz;
 
     if (layer->debug) {
         msDebug("msPostGISBuildSQLBox called.\n");
     }
 
     if ( strSRID ) {
-        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g))',%s)";
+        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f))',%s)";
         /* 10 doubles + 1 integer + template characters */
-        strBox = (char*)malloc(10 * 15 + strlen(strSRID) + strlen(strBoxTemplate));
-        sprintf(strBox, strBoxTemplate,
+        sz = 10 * 15 + strlen(strSRID) + strlen(strBoxTemplate);
+        strBox = (char*)malloc(sz+1); /* add space for terminating NULL */
+        if ( sz <= snprintf(strBox, sz, strBoxTemplate,
                 rect->minx, rect->miny,
                 rect->minx, rect->maxy,
                 rect->maxx, rect->maxy,
                 rect->maxx, rect->miny,
                 rect->minx, rect->miny,
-                strSRID);
+                strSRID) )
+	{
+        	msSetError(MS_MISCERR,"Bounding box digits truncated.","msPostGISBuildSQLBox");
+        	return 0;
+	}
     } else {
-        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g,%.15g %.15g))')";
+        static char *strBoxTemplate = "GeomFromText('POLYGON((%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f,%.15f %.15f))')";
         /* 10 doubles + template characters */
-        strBox = (char*)malloc(10 * 15 + strlen(strBoxTemplate));
-        sprintf(strBox, strBoxTemplate,
+        sz = 10 * 15 + strlen(strBoxTemplate);
+        strBox = (char*)malloc(sz+1); /* add space for terminating NULL */
+        if ( sz <= snprintf(strBox, sz, strBoxTemplate,
                 rect->minx, rect->miny,
                 rect->minx, rect->maxy,
                 rect->maxx, rect->maxy,
                 rect->maxx, rect->miny,
-                rect->minx, rect->miny);
+                rect->minx, rect->miny) )
+	{
+        	msSetError(MS_MISCERR,"Bounding box digits truncated.","msPostGISBuildSQLBox");
+        	return 0;
+	}
+	
     }
 
     return strBox;