From 1989ddc252d936c0893ab50d8b315325b9c55e29 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 2 Aug 2017 21:54:25 +0200
Subject: [PATCH] Fix stack buffer overflow in nc4_check_name()

nc4_check_name() checks that the provided string doesn't exceed NC_MAX_NAME,
but fails to do so after calling nc_utf8_normalize(). This extra check is
needed since a caller of nc4_check_name(), like NC4_def_dim, allocates
norm_name as char norm_name[NC_MAX_NAME + 1]

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2840
Credit to OSS-Fuzz
---
 libsrc4/nc4internal.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libsrc4/nc4internal.c b/libsrc4/nc4internal.c
index fe6e2f6a9..6ad753799 100644
--- a/libsrc4/nc4internal.c
+++ b/libsrc4/nc4internal.c
@@ -102,6 +102,11 @@ nc4_check_name(const char *name, char *norm_name)
    retval = nc_utf8_normalize((const unsigned char *)name,(unsigned char**)&temp);
    if(retval != NC_NOERR)
       return retval;
+   if( strlen(temp) > NC_MAX_NAME )
+   {
+       free(temp);
+       return NC_EMAXNAME;
+   }
    strcpy(norm_name, temp);
    free(temp);