Fix stack buffer overflow in nc4_check_name()

nc4_check_name() checks that the provided string doesn't exceed NC_MAX_NAME,
but fails to do so after calling nc_utf8_normalize(). This extra check is
needed since a caller of nc4_check_name(), like NC4_def_dim, allocates
norm_name as char norm_name[NC_MAX_NAME + 1]

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2840
Credit to OSS-Fuzz
This commit is contained in:
Even Rouault 2017-08-02 21:54:25 +02:00
parent d18378c69b
commit 1989ddc252

View File

@ -102,6 +102,11 @@ nc4_check_name(const char *name, char *norm_name)
retval = nc_utf8_normalize((const unsigned char *)name,(unsigned char**)&temp);
if(retval != NC_NOERR)
return retval;
if( strlen(temp) > NC_MAX_NAME )
{
free(temp);
return NC_EMAXNAME;
}
strcpy(norm_name, temp);
free(temp);