[Shapelib] Bug in DBFCloneEmpty
René Madsen
madsen at neozone.com
Thu Jun 9 18:26:47 EDT 2005
Hi All
I identified a bug in DBFCloneEmpty
The lines to copy field type's states
newDBF->pachFieldType = (char *) malloc ( sizeof(int) * psDBF->nFields );
memcpy ( newDBF->pachFieldType, psDBF->pachFieldType, sizeof(int) *
psDBF->nFields );
However in shapelib.h pachFieldType defined as
char *pachFieldType;
and in DBFOpen its initialised as
psDBF->pachFieldType = (char *) malloc(sizeof(char) * nFields);
and reallocated in DBFAddField as
psDBF->pachFieldType = (char *)
SfRealloc( psDBF->pachFieldType, sizeof(char) * psDBF->nFields );
This causes a read overflow on psDBF->pachFieldType in memcpy that
occasionally generates an access violation.
A code change to
newDBF->pachFieldType = (char *) malloc ( sizeof(char) * psDBF->nFields
);
memcpy ( newDBF->pachFieldType, psDBF->pachFieldType, sizeof(char) *
psDBF->nFields );
fixes the problem.
Regards
Rene Madsen
NeoZone A/S
Technical Director
Address: Amaliegade 16
DK-1256 K
Email: madsen at neozone.com
Tel office: +45 7020 6166
Fax: +45 3332 2291
Mobile: +45 2013 4420
More information about the Shapelib
mailing list