[mapserver-dev] App crash in mapparser.y

Tamas Szekeres szekerest at gmail.com
Sat Feb 19 05:55:20 PST 2022 

Hi Devs,

I got a crash log which shows that the access violation is happening in the
following location:

*mapserver!yylex+0x1b5
[e:\builds-t1\src\mapserver-intramaps\vc15x64\mapparser.y @ 858]
		mapserver!yyparse+0x247 [e:\home\even\mapserver\mapserver\mapparser.c @ 1461]
		mapserver!msEvalContext+0x178
[e:\builds-t1\src\mapserver-intramaps\maputil.c @ 442]
		mapserver!msDrawVectorLayer+0xb0
[e:\builds-t1\src\mapserver-intramaps\mapdraw.c @ 918]
		mapserver!msDrawLayer+0x3a3
[e:\builds-t1\src\mapserver-intramaps\mapdraw.c @ 813]
		mapserver!msDrawMap+0x415
[e:\builds-t1\src\mapserver-intramaps\mapdraw.c @ 403]
		mapscript!CSharp_mapObj_draw+0xd*

By looking into the corresponding code, the problem has happened in the
following location in yylex():




* case MS_TOKEN_BINDING_INTEGER:    token = NUMBER; ---->
(*lvalp).dblval =
atof(p->shape->values[p->expr->curtoken->tokenval.bindval.index]);
break;*

In maputil.c the call stack location is here (msEvalContext):










*msTokenizeExpression(&e, NULL, NULL);  p.shape = NULL;  p.expr = &e;
p.expr->curtoken = p.expr->tokens; /* reset */  p.type =
MS_PARSE_TYPE_BOOLEAN;----->  status = yyparse(&p);
msFreeExpression(&e);*

And in mapdraw.c







* /* TODO TBT: draw as raster layer in vector renderers */----->
annotate = msEvalContext(map, layer, layer->labelrequires);
if(map->scaledenom > 0) {    if((layer->labelmaxscaledenom != -1) &&
(map->scaledenom >= layer->labelmaxscaledenom)) annotate = MS_FALSE;
 if((layer->labelminscaledenom != -1) && (map->scaledenom <
layer->labelminscaledenom)) annotate = MS_FALSE;  }*

I'm not sure if the LABELREQUIRES option supports attribute binding
(probably not) and in that case the
p->expr->curtoken->tokenval.bindval.index would probably have undefined
value. I don't have any information about the corresponding LABELREQUIRES
expression , but if I assume it doesn't contain attribute binding, then
this crash might probably happen due to a missing parser lock around
*yyparse(&p).
*What do you think about the problem and how could we work around this?

Thanks,

Tamas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220219/c30c23bd/attachment.html>

More information about the MapServer-dev mailing list