[mapserver-dev] A buffer overflow in maporaclespatial

Albert Rovira arovira at ngeografics.com
Thu Jul 10 10:29:50 EDT 2008 

Hello,

I get a core dump when I using this layer definition:

   LAYER
     CLASSITEM "vu_id"
     CONNECTION "cerc/cerc at cerc"
     CONNECTIONTYPE ORACLESPATIAL
     DATA "SHAPE from (select id,shape,vu_id from cercalia.LOIS_MAPA 
where (categoria_id = '9CQRUT' and tipo_id = '039') or (categoria_id = 
'9CQRUT' and tipo_id = '069') or (categoria_id = '9CQRUT' and tipo_id = 
'004') or (categoria_id = '9CQRUT' and tipo_id = '005') or (categoria_id 
= '9CQRUT' and tipo_id = '066') or (categoria_id = '9CQRUT' and tipo_id 
= '047') or (categoria_id = '9CQRUT' and tipo_id = '078') or ...

**** BANDWITDH SAVER **** ;-)

  ... (categoria_id = '9CQRUT' and tipo_id = '076') or (categoria_id = 
'9CQRUT' and tipo_id = '008') or (categoria_id = '9CQRUT' and tipo_id = 
'007') or (categoria_id = '9CQRUT' and tipo_id = '052') or (categoria_id 
= '9CQRUT' and tipo_id = '019') or (categoria_id = '9CQRUT' and tipo_id 
= '020') or (categoria_id = '9CQRUT' and tipo_id = '011') or 
(categoria_id = '9CQRUT' and tipo_id = '029')) using srid 558000" 
DEBUG ON
     DUMP TRUE
       METADATA
       END
     NAME "lois"
     SIZEUNITS PIXELS
     STATUS ON
     TOLERANCEUNITS PIXELS
     TYPE LINE
     UNITS METERS
     CLASS
       EXPRESSION /4560/
       METADATA
       END
       STYLE
         ANGLE 360
         OUTLINECOLOR 250 220 0
         SIZE 4
         SYMBOL 8
       END
     END
     CLASS
       EXPRESSION /4561/
       METADATA
       END
       STYLE
         ANGLE 360
         OUTLINECOLOR 250 220 0
         SIZE 4
         SYMBOL 8
       END
     END
     CLASS
       EXPRESSION /4562/
       METADATA
       END
       STYLE
         ANGLE 360
         OUTLINECOLOR 250 220 0
         SIZE 4
         SYMBOL 8
       END
     END
END


After dig a bit in mapOracleSpatial.c, I see that table_name array is 
too small to hold the select string that is about 3200 bytes.

Line 1628 in mapOracleSpatial.c:

/* create SQL statement for retrieving shapes */
int msOracleSpatialLayerWhichShapes( layerObj *layer, rectObj rect )
{
     int success, i;
     int function = 0;
     int version = 0;
     char query_str[6000];
     char table_name[2000], geom_column_name[100], unique[100], srid[100];


Can Mapserver team modify it to use dinamic strings ? If not, can 
Mapserver team make this array bigger ? It's a bit annoying must 
recompile mapserver only for this little bug.

Thanks,
Albert.

More information about the mapserver-dev mailing list