[mapserver-dev] crash bug / win 7

Steve Lime Steve.Lime at dnr.state.mn.us
Mon Oct 5 19:28:47 EDT 2009


We've tried to fix a bunch of these in the past few months but obviously have work
to do. Many instances using sscanf are legit. I'm most worried about those that could
be triggered by external entities and this sounds like one since one could plant a 
specially crafted font file I suppose. I checked 5.4 and you can't modify the fontset
via URL so the risk is low. Older versions don't allow that either.

It's easy enough to fix so let's do that. Please create a ticket and let's take care
of them (I count 21 instances of sscanf in *.c although only a few have string targets)...

Steve

>>> On 10/5/2009 at 5:29 PM, in message
<3B6819E719271748B923CE3CDBD4EC9805898DBD at srcmail1.extendthereach.com>, "Ned
Harding" <nharding at extendthereach.com> wrote:
> I ran into a subtle crash bug on Windows 7 that didn't happen on Vista.
> It turned out that the fontset that I was using has an alias over 64
> characters.  msLoadFontSet(...) in mapLabel.c has a sscanf in it that
> has a fixed size 64 character buffer.  It seems the only reason that
> win7 crashed and vista didn't is that win7 has better stack overrun
> protection.
> 
> When I went to fix it to submit a patch, I realized that sscanf is used
> a bunch of times in mapserver without any checking that the buffer is
> big enough. 
> 
> So the question is:  are we ok with weird input causing a buffer overrun
> & crash, or is this something that needs to get fixed?  I can of course
> fix my font set to work around this problem.
> 
> ned.
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev



More information about the mapserver-dev mailing list