[mapserver-dev] Ticket 3537 - Buffer overflow vulnerabilities

Daniel Morissette dmorissette at mapgears.com
Wed Oct 6 11:21:49 EDT 2010

Alan Boudreault wrote:
> Here's the patches:
> http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-1.patch
> http://trac.osgeo.org/mapserver/attachment/ticket/3537/3537-2.patch


Initializing a variable (and arrays) with a non-static value is not
valid in ANSI C (a.k.a. C89/90) and may not work on all compilers. I
know of at least VC++ on Windows that will fail.

i.e. the following pattern added in mapfile.c (and possibly elsewhere)

        size_t buffer_size = 10 + strlen(value+5) + 1;
 	char *init_string = (char*)malloc(buffer_size);

should be replaced with:

	size_t buffer_size;
 	char *init_string;

        buffer_size = 10 + strlen(value+5) + 1;
 	init_string = (char*)malloc(buffer_size);

I also noticed the following pattern in a few places. I don't know if
that's allowed or not in C89/90. Since bufferSize is a const that may be
okay, but I'm not 100% sure:

    const size_t bufferSize = 1024;
    char szBuffer[bufferSize];

Could someone please apply and test the patches on Windows?

Daniel Morissette

More information about the mapserver-dev mailing list