[postgis-tickets] r15483 - Fix buffer overflow and use of uninitialized values

Sandro Santilli strk at kbt.io
Mon Jul 10 11:00:50 PDT 2017 

Author: strk
Date: 2017-07-10 11:00:49 -0700 (Mon, 10 Jul 2017)
New Revision: 15483

Modified:
   branches/2.3/NEWS
   branches/2.3/loader/pgsql2shp-core.c
Log:
Fix buffer overflow and use of uninitialized values

Closes #3101 for 2.3 branch

Modified: branches/2.3/NEWS
===================================================================
--- branches/2.3/NEWS	2017-07-10 17:51:23 UTC (rev 15482)
+++ branches/2.3/NEWS	2017-07-10 18:00:49 UTC (rev 15483)
@@ -3,12 +3,10 @@
 
   * Bug Fixes
 
-  - #3782, Memory leak in lwline_from_wkb_state
-           (Even Rouault)
+  - #3782, Memory leak in lwline_from_wkb_state (Even Rouault)
+  - #3101, Fix buffer overflow in pgsql2shp (Sandro Santilli)
 
 
-
-
 PostGIS 2.3.3
 2017/07/01
 

Modified: branches/2.3/loader/pgsql2shp-core.c
===================================================================
--- branches/2.3/loader/pgsql2shp-core.c	2017-07-10 17:51:23 UTC (rev 15482)
+++ branches/2.3/loader/pgsql2shp-core.c	2017-07-10 18:00:49 UTC (rev 15483)
@@ -1156,6 +1156,7 @@
 	/* Set any state defaults */
 	state->conn = NULL;
 	state->outtype = 's';
+	state->outshptype = 0;
 	state->geom_oid = 0;
 	state->geog_oid = 0;
 	state->schema = NULL;
@@ -1167,6 +1168,7 @@
 	state->dbffieldtypes = NULL;
 	state->pgfieldnames = NULL;
 	state->big_endian = is_bigendian();
+	state->message[0] = '\0';
 	colmap_init(&state->column_map);
 
 	return state;
@@ -1557,9 +1559,13 @@
 		/* Issue warning if column has been renamed */
 		if (strcasecmp(dbffieldname, pgfieldname))
 		{
+			if ( snprintf(buf, 256, _("Warning, field %s renamed to %s\n"),
+							 pgfieldname, dbffieldname) >= 256 )
+			{
+				buf[255] = '\0';
+			}
 			/* Note: we concatenate all warnings from the main loop as this is useful information */
-			snprintf(buf, 256, _("Warning, field %s renamed to %s\n"), pgfieldname, dbffieldname);
-			strncat(state->message, buf, SHPDUMPERMSGLEN - strlen(state->message));
+			strncat(state->message, buf, SHPDUMPERMSGLEN - strlen(state->message) - 1);
 
 			ret = SHPDUMPERWARN;
 		}

More information about the postgis-tickets mailing list