[Shapelib] Bug in DBFCloneEmpty
René Madsen
madsen at neozone.com
Thu Jun 9 14:54:18 PDT 2005
Hi All
I identified a bug in DBFCloneEmpty
The lines to copy field types states
newDBF->pachFieldType = (char *) malloc ( sizeof(int) * psDBF->nFields );
memcpy ( newDBF->pachFieldType, psDBF->pachFieldType, sizeof(int) *
psDBF->nFields );
However in shapelib.h pachFieldType defined as
char *pachFieldType;
and in DBFOpen its initialised as
psDBF->pachFieldType = (char *) malloc(sizeof(char) * nFields);
and reallocated in DBFAddField as
psDBF->pachFieldType = (char *)
SfRealloc( psDBF->pachFieldType, sizeof(char) * psDBF->nFields );
This causes a read overflow on psDBF->pachFieldType in memcpy that
occasionally generates an access violation.
A code change to
newDBF->pachFieldType = (char *) malloc ( sizeof(char) * psDBF->nFields
);
memcpy ( newDBF->pachFieldType, psDBF->pachFieldType, sizeof(char) *
psDBF->nFields );
fixes the problem.
Regards
Rene Madsen
NeoZone A/S
Technical Director
Address: Amaliegade 16
DK-1256 København K
Email: madsen at neozone.com
Tel office: +45 7020 6166
Fax: +45 3332 2291
Mobile: +45 2013 4420
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/shapelib/attachments/20050609/0f469f3b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1156 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/shapelib/attachments/20050609/0f469f3b/attachment.jpg>
More information about the Shapelib
mailing list