diff --git a/ogr/ogrsf_frmts/shape/dbfopen.c b/ogr/ogrsf_frmts/shape/dbfopen.c index 8bac07247992..2486875c1941 100644 --- a/ogr/ogrsf_frmts/shape/dbfopen.c +++ b/ogr/ogrsf_frmts/shape/dbfopen.c @@ -355,10 +355,19 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, /* -------------------------------------------------------------------- */ const int nLenWithoutExtension = DBFGetLenWithoutExtension(pszFilename); char *pszFullname = STATIC_CAST(char *, malloc(nLenWithoutExtension + 5)); + if (!pszFullname) + { + return SHPLIB_NULLPTR; + } memcpy(pszFullname, pszFilename, nLenWithoutExtension); memcpy(pszFullname + nLenWithoutExtension, ".dbf", 5); DBFHandle psDBF = STATIC_CAST(DBFHandle, calloc(1, sizeof(DBFInfo))); + if (!psDBF) + { + free(pszFullname); + return SHPLIB_NULLPTR; + } psDBF->fp = psHooks->FOpen(pszFullname, pszAccess, psHooks->pvUserData); memcpy(&(psDBF->sHooks), psHooks, sizeof(SAHooks)); @@ -396,6 +405,14 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, /* -------------------------------------------------------------------- */ const int nBufSize = 500; unsigned char *pabyBuf = STATIC_CAST(unsigned char *, malloc(nBufSize)); + if (!pabyBuf) + { + psDBF->sHooks.FClose(psDBF->fp); + if (pfCPG) + psHooks->FClose(pfCPG); + free(psDBF); + return SHPLIB_NULLPTR; + } if (psDBF->sHooks.FRead(pabyBuf, XBASE_FILEHDR_SZ, 1, psDBF->fp) != 1) { psDBF->sHooks.FClose(psDBF->fp); @@ -431,6 +448,15 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, /* coverity[tainted_data] */ psDBF->pszCurrentRecord = STATIC_CAST(char *, malloc(psDBF->nRecordLength)); + if (!psDBF->pszCurrentRecord) + { + psDBF->sHooks.FClose(psDBF->fp); + if (pfCPG) + psDBF->sHooks.FClose(pfCPG); + free(pabyBuf); + free(psDBF); + return SHPLIB_NULLPTR; + } /* -------------------------------------------------------------------- */ /* Figure out the code page from the LDID and CPG */ @@ -445,7 +471,8 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, { pabyBuf[n] = '\0'; psDBF->pszCodePage = STATIC_CAST(char *, malloc(n + 1)); - memcpy(psDBF->pszCodePage, pabyBuf, n + 1); + if (psDBF->pszCodePage) + memcpy(psDBF->pszCodePage, pabyBuf, n + 1); } psDBF->sHooks.FClose(pfCPG); } @@ -455,13 +482,26 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, psDBF->iLanguageDriver); psDBF->pszCodePage = STATIC_CAST( char *, malloc(strlen(REINTERPRET_CAST(char *, pabyBuf)) + 1)); - strcpy(psDBF->pszCodePage, REINTERPRET_CAST(char *, pabyBuf)); + if (psDBF->pszCodePage) + strcpy(psDBF->pszCodePage, REINTERPRET_CAST(char *, pabyBuf)); } /* -------------------------------------------------------------------- */ /* Read in Field Definitions */ /* -------------------------------------------------------------------- */ - pabyBuf = STATIC_CAST(unsigned char *, realloc(pabyBuf, nHeadLen)); + + unsigned char *pabyBufNew = + STATIC_CAST(unsigned char *, realloc(pabyBuf, nHeadLen)); + if (!pabyBufNew) + { + psDBF->sHooks.FClose(psDBF->fp); + free(pabyBuf); + free(psDBF->pszCurrentRecord); + free(psDBF->pszCodePage); + free(psDBF); + return SHPLIB_NULLPTR; + } + pabyBuf = pabyBufNew; psDBF->pszHeader = REINTERPRET_CAST(char *, pabyBuf); psDBF->sHooks.FSeek(psDBF->fp, XBASE_FILEHDR_SZ, 0); @@ -480,6 +520,12 @@ DBFHandle SHPAPI_CALL DBFOpenLL(const char *pszFilename, const char *pszAccess, psDBF->panFieldSize = STATIC_CAST(int *, malloc(sizeof(int) * nFields)); psDBF->panFieldDecimals = STATIC_CAST(int *, malloc(sizeof(int) * nFields)); psDBF->pachFieldType = STATIC_CAST(char *, malloc(sizeof(char) * nFields)); + if (!psDBF->panFieldOffset || !psDBF->panFieldSize || + !psDBF->panFieldDecimals || !psDBF->pachFieldType) + { + DBFClose(psDBF); + return SHPLIB_NULLPTR; + } for (int iField = 0; iField < nFields; iField++) { @@ -627,6 +673,8 @@ DBFHandle SHPAPI_CALL DBFCreateLL(const char *pszFilename, /* -------------------------------------------------------------------- */ const int nLenWithoutExtension = DBFGetLenWithoutExtension(pszFilename); char *pszFullname = STATIC_CAST(char *, malloc(nLenWithoutExtension + 5)); + if (!pszFullname) + return SHPLIB_NULLPTR; memcpy(pszFullname, pszFilename, nLenWithoutExtension); memcpy(pszFullname + nLenWithoutExtension, ".dbf", 5); @@ -672,6 +720,10 @@ DBFHandle SHPAPI_CALL DBFCreateLL(const char *pszFilename, /* Create the info structure. */ /* -------------------------------------------------------------------- */ DBFHandle psDBF = STATIC_CAST(DBFHandle, calloc(1, sizeof(DBFInfo))); + if (!psDBF) + { + return SHPLIB_NULLPTR; + } memcpy(&(psDBF->sHooks), psHooks, sizeof(SAHooks)); psDBF->fp = fp; @@ -699,7 +751,8 @@ DBFHandle SHPAPI_CALL DBFCreateLL(const char *pszFilename, { psDBF->pszCodePage = STATIC_CAST(char *, malloc(strlen(pszCodePage) + 1)); - strcpy(psDBF->pszCodePage, pszCodePage); + if (psDBF->pszCodePage) + strcpy(psDBF->pszCodePage, pszCodePage); } DBFSetLastModifiedDate(psDBF, 95, 7, 26); /* dummy date */ @@ -806,19 +859,67 @@ int SHPAPI_CALL DBFAddNativeFieldType(DBFHandle psDBF, const char *pszFieldName, /* realloc all the arrays larger to hold the additional field */ /* information. */ /* -------------------------------------------------------------------- */ - psDBF->nFields++; - psDBF->panFieldOffset = STATIC_CAST( - int *, realloc(psDBF->panFieldOffset, sizeof(int) * psDBF->nFields)); + int *panFieldOffsetNew = + STATIC_CAST(int *, realloc(psDBF->panFieldOffset, + sizeof(int) * (psDBF->nFields + 1))); - psDBF->panFieldSize = STATIC_CAST( - int *, realloc(psDBF->panFieldSize, sizeof(int) * psDBF->nFields)); + int *panFieldSizeNew = + STATIC_CAST(int *, realloc(psDBF->panFieldSize, + sizeof(int) * (psDBF->nFields + 1))); - psDBF->panFieldDecimals = STATIC_CAST( - int *, realloc(psDBF->panFieldDecimals, sizeof(int) * psDBF->nFields)); + int *panFieldDecimalsNew = + STATIC_CAST(int *, realloc(psDBF->panFieldDecimals, + sizeof(int) * (psDBF->nFields + 1))); - psDBF->pachFieldType = STATIC_CAST( - char *, realloc(psDBF->pachFieldType, sizeof(char) * psDBF->nFields)); + char *pachFieldTypeNew = + STATIC_CAST(char *, realloc(psDBF->pachFieldType, + sizeof(char) * (psDBF->nFields + 1))); + + char *pszHeaderNew = + STATIC_CAST(char *, realloc(psDBF->pszHeader, + (psDBF->nFields + 1) * XBASE_FLDHDR_SZ)); + + /* -------------------------------------------------------------------- */ + /* Make the current record buffer appropriately larger. */ + /* -------------------------------------------------------------------- */ + char *pszCurrentRecordNew = + STATIC_CAST(char *, realloc(psDBF->pszCurrentRecord, + psDBF->nRecordLength + nWidth)); + + if (panFieldOffsetNew) + psDBF->panFieldOffset = panFieldOffsetNew; + if (panFieldSizeNew) + psDBF->panFieldSize = panFieldSizeNew; + if (panFieldDecimalsNew) + psDBF->panFieldDecimals = panFieldDecimalsNew; + if (pachFieldTypeNew) + psDBF->pachFieldType = pachFieldTypeNew; + if (pszHeaderNew) + psDBF->pszHeader = pszHeaderNew; + if (pszCurrentRecordNew) + psDBF->pszCurrentRecord = pszCurrentRecordNew; + + if (!panFieldOffsetNew || !panFieldSizeNew || !panFieldDecimalsNew || + !pachFieldTypeNew || !pszHeaderNew || !pszCurrentRecordNew) + { + psDBF->sHooks.Error("Out of memory"); + return -1; + } + + /* alloc record */ + char *pszRecord = SHPLIB_NULLPTR; + if (!psDBF->bNoHeader) + { + pszRecord = STATIC_CAST(char *, malloc(psDBF->nRecordLength + nWidth)); + if (!pszRecord) + { + psDBF->sHooks.Error("Out of memory"); + return -1; + } + } + + psDBF->nFields++; /* -------------------------------------------------------------------- */ /* Assign the new field information fields. */ @@ -835,9 +936,6 @@ int SHPAPI_CALL DBFAddNativeFieldType(DBFHandle psDBF, const char *pszFieldName, psDBF->nHeaderLength += XBASE_FLDHDR_SZ; psDBF->bUpdated = FALSE; - psDBF->pszHeader = STATIC_CAST( - char *, realloc(psDBF->pszHeader, psDBF->nFields * XBASE_FLDHDR_SZ)); - char *pszFInfo = psDBF->pszHeader + XBASE_FLDHDR_SZ * (psDBF->nFields - 1); for (int i = 0; i < XBASE_FLDHDR_SZ; i++) @@ -858,12 +956,6 @@ int SHPAPI_CALL DBFAddNativeFieldType(DBFHandle psDBF, const char *pszFieldName, pszFInfo[17] = STATIC_CAST(unsigned char, nDecimals); } - /* -------------------------------------------------------------------- */ - /* Make the current record buffer appropriately larger. */ - /* -------------------------------------------------------------------- */ - psDBF->pszCurrentRecord = STATIC_CAST( - char *, realloc(psDBF->pszCurrentRecord, psDBF->nRecordLength)); - /* we're done if dealing with new .dbf */ if (psDBF->bNoHeader) return (psDBF->nFields - 1); @@ -872,10 +964,6 @@ int SHPAPI_CALL DBFAddNativeFieldType(DBFHandle psDBF, const char *pszFieldName, /* For existing .dbf file, shift records */ /* -------------------------------------------------------------------- */ - /* alloc record */ - char *pszRecord = - STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); - const char chFieldFill = DBFGetNullCharacter(chType); SAOffset nRecordOffset; @@ -1783,11 +1871,7 @@ int SHPAPI_CALL DBFMarkRecordDeleted(DBFHandle psDBF, int iShape, /* -------------------------------------------------------------------- */ /* Assign value, marking record as dirty if it changes. */ /* -------------------------------------------------------------------- */ - char chNewFlag; - if (bIsDeleted) - chNewFlag = '*'; - else - chNewFlag = ' '; + const char chNewFlag = bIsDeleted ? '*' : ' '; if (psDBF->pszCurrentRecord[0] != chNewFlag) { @@ -1965,6 +2049,31 @@ int SHPAPI_CALL DBFReorderFields(DBFHandle psDBF, const int *panMap) STATIC_CAST(char *, calloc(psDBF->nFields, sizeof(char))); char *pszHeaderNew = STATIC_CAST( char *, malloc(sizeof(char) * XBASE_FLDHDR_SZ * psDBF->nFields)); + char *pszRecord = SHPLIB_NULLPTR; + char *pszRecordNew = SHPLIB_NULLPTR; + if (!(psDBF->bNoHeader && psDBF->nRecords == 0)) + { + /* alloc record */ + pszRecord = + STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); + pszRecordNew = + STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); + } + if (!panFieldOffsetNew || !panFieldSizeNew || !panFieldDecimalsNew || + !pachFieldTypeNew || !pszHeaderNew || + (!(psDBF->bNoHeader && psDBF->nRecords == 0) && + (!pszRecord || !pszRecordNew))) + { + free(panFieldOffsetNew); + free(panFieldSizeNew); + free(panFieldDecimalsNew); + free(pachFieldTypeNew); + free(pszHeaderNew); + free(pszRecord); + free(pszRecordNew); + psDBF->sHooks.Error("Out of memory"); + return FALSE; + } /* shuffle fields definitions */ for (int i = 0; i < psDBF->nFields; i++) @@ -1994,12 +2103,6 @@ int SHPAPI_CALL DBFReorderFields(DBFHandle psDBF, const int *panMap) psDBF->bNoHeader = TRUE; DBFUpdateHeader(psDBF); - /* alloc record */ - char *pszRecord = - STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); - char *pszRecordNew = - STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); - /* shuffle fields in records */ for (int iRecord = 0; iRecord < psDBF->nRecords; iRecord++) { @@ -2030,12 +2133,12 @@ int SHPAPI_CALL DBFReorderFields(DBFHandle psDBF, const int *panMap) psDBF->sHooks.FWrite(pszRecordNew, psDBF->nRecordLength, 1, psDBF->fp); } - - /* free record */ - free(pszRecord); - free(pszRecordNew); } + /* free record */ + free(pszRecord); + free(pszRecordNew); + if (errorAbort) { free(panFieldOffsetNew); @@ -2098,6 +2201,31 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, if (nWidth > XBASE_FLD_MAX_WIDTH) nWidth = XBASE_FLD_MAX_WIDTH; + char *pszRecord = STATIC_CAST( + char *, malloc(nOldRecordLength + + ((nWidth > nOldWidth) ? nWidth - nOldWidth : 0))); + char *pszOldField = STATIC_CAST(char *, malloc(nOldWidth + 1)); + if (!pszRecord || !pszOldField) + { + free(pszRecord); + free(pszOldField); + return FALSE; + } + + if (nWidth != nOldWidth) + { + char *pszCurrentRecordNew = STATIC_CAST( + char *, realloc(psDBF->pszCurrentRecord, + psDBF->nRecordLength + nWidth - nOldWidth)); + if (!pszCurrentRecordNew) + { + free(pszRecord); + free(pszOldField); + return FALSE; + } + psDBF->pszCurrentRecord = pszCurrentRecordNew; + } + /* -------------------------------------------------------------------- */ /* Assign the new field information fields. */ /* -------------------------------------------------------------------- */ @@ -2136,14 +2264,15 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, for (int i = iField + 1; i < psDBF->nFields; i++) psDBF->panFieldOffset[i] += nWidth - nOldWidth; psDBF->nRecordLength += nWidth - nOldWidth; - - psDBF->pszCurrentRecord = STATIC_CAST( - char *, realloc(psDBF->pszCurrentRecord, psDBF->nRecordLength)); } /* we're done if we're dealing with not yet created .dbf */ if (psDBF->bNoHeader && psDBF->nRecords == 0) + { + free(pszRecord); + free(pszOldField); return TRUE; + } /* force update of header with new header and record length */ psDBF->bNoHeader = TRUE; @@ -2153,11 +2282,6 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, if (nWidth < nOldWidth || (nWidth == nOldWidth && chType != chOldType)) { - char *pszRecord = - STATIC_CAST(char *, malloc(sizeof(char) * nOldRecordLength)); - char *pszOldField = - STATIC_CAST(char *, malloc(sizeof(char) * (nOldWidth + 1))); - pszOldField[nOldWidth] = 0; /* move records to their new positions */ @@ -2225,17 +2349,9 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, psDBF->sHooks.FWrite(&ch, 1, 1, psDBF->fp); } /* TODO: truncate file */ - - free(pszRecord); - free(pszOldField); } else if (nWidth > nOldWidth) { - char *pszRecord = - STATIC_CAST(char *, malloc(sizeof(char) * psDBF->nRecordLength)); - char *pszOldField = - STATIC_CAST(char *, malloc(sizeof(char) * (nOldWidth + 1))); - pszOldField[nOldWidth] = 0; /* move records to their new positions */ @@ -2298,7 +2414,7 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, if (!errorAbort && psDBF->bWriteEndOfFileChar) { - char ch = END_OF_FILE_CHARACTER; + const char ch = END_OF_FILE_CHARACTER; SAOffset nRecordOffset = psDBF->nRecordLength * STATIC_CAST(SAOffset, psDBF->nRecords) + @@ -2307,11 +2423,11 @@ int SHPAPI_CALL DBFAlterFieldDefn(DBFHandle psDBF, int iField, psDBF->sHooks.FSeek(psDBF->fp, nRecordOffset, 0); psDBF->sHooks.FWrite(&ch, 1, 1, psDBF->fp); } - - free(pszRecord); - free(pszOldField); } + free(pszRecord); + free(pszOldField); + if (errorAbort) { psDBF->nCurrentRecord = -1; diff --git a/ogr/ogrsf_frmts/shape/sbnsearch.c b/ogr/ogrsf_frmts/shape/sbnsearch.c index e5766a4d3492..7ecca02141c3 100644 --- a/ogr/ogrsf_frmts/shape/sbnsearch.c +++ b/ogr/ogrsf_frmts/shape/sbnsearch.c @@ -128,6 +128,8 @@ SBNSearchHandle SBNOpenDiskTree(const char *pszSBNFilename, /* -------------------------------------------------------------------- */ SBNSearchHandle hSBN = STATIC_CAST(SBNSearchHandle, calloc(1, sizeof(struct SBNSearchInfo))); + if (!hSBN) + return SHPLIB_NULLPTR; if (psHooks == SHPLIB_NULLPTR) SASetupDefaultHooks(&(hSBN->sHooks)); diff --git a/ogr/ogrsf_frmts/shape/shpopen.c b/ogr/ogrsf_frmts/shape/shpopen.c index 014e15770c67..042c1a270366 100644 --- a/ogr/ogrsf_frmts/shape/shpopen.c +++ b/ogr/ogrsf_frmts/shape/shpopen.c @@ -280,6 +280,8 @@ SHPHandle SHPAPI_CALL SHPOpenLL(const char *pszLayer, const char *pszAccess, /* Initialize the info structure. */ /* -------------------------------------------------------------------- */ SHPHandle psSHP = STATIC_CAST(SHPHandle, calloc(1, sizeof(SHPInfo))); + if (!psSHP) + return SHPLIB_NULLPTR; psSHP->bUpdated = FALSE; memcpy(&(psSHP->sHooks), psHooks, sizeof(SAHooks)); @@ -290,6 +292,11 @@ SHPHandle SHPAPI_CALL SHPOpenLL(const char *pszLayer, const char *pszAccess, /* -------------------------------------------------------------------- */ const int nLenWithoutExtension = SHPGetLenWithoutExtension(pszLayer); char *pszFullname = STATIC_CAST(char *, malloc(nLenWithoutExtension + 5)); + if (!pszFullname) + { + free(psSHP); + return SHPLIB_NULLPTR; + } memcpy(pszFullname, pszLayer, nLenWithoutExtension); memcpy(pszFullname + nLenWithoutExtension, ".shp", 5); psSHP->fpSHP = @@ -305,12 +312,15 @@ SHPHandle SHPAPI_CALL SHPOpenLL(const char *pszLayer, const char *pszAccess, { const size_t nMessageLen = strlen(pszFullname) * 2 + 256; char *pszMessage = STATIC_CAST(char *, malloc(nMessageLen)); - pszFullname[nLenWithoutExtension] = 0; - snprintf(pszMessage, nMessageLen, - "Unable to open %s.shp or %s.SHP in %s mode.", pszFullname, - pszFullname, pszAccess); - psHooks->Error(pszMessage); - free(pszMessage); + if (pszMessage) + { + pszFullname[nLenWithoutExtension] = 0; + snprintf(pszMessage, nMessageLen, + "Unable to open %s.shp or %s.SHP in %s mode.", pszFullname, + pszFullname, pszAccess); + psHooks->Error(pszMessage); + free(pszMessage); + } free(psSHP); free(pszFullname); @@ -333,13 +343,16 @@ SHPHandle SHPAPI_CALL SHPOpenLL(const char *pszLayer, const char *pszAccess, const size_t nMessageLen = 64 + strlen(pszFullname) * 2 + strlen(SHP_RESTORE_SHX_HINT_MESSAGE); char *pszMessage = STATIC_CAST(char *, malloc(nMessageLen)); - pszFullname[nLenWithoutExtension] = 0; - snprintf( - pszMessage, nMessageLen, - "Unable to open %s.shx or %s.SHX." SHP_RESTORE_SHX_HINT_MESSAGE, - pszFullname, pszFullname); - psHooks->Error(pszMessage); - free(pszMessage); + if (pszMessage) + { + pszFullname[nLenWithoutExtension] = 0; + snprintf( + pszMessage, nMessageLen, + "Unable to open %s.shx or %s.SHX." SHP_RESTORE_SHX_HINT_MESSAGE, + pszFullname, pszFullname); + psHooks->Error(pszMessage); + free(pszMessage); + } psSHP->sHooks.FClose(psSHP->fpSHP); free(psSHP); @@ -353,7 +366,7 @@ SHPHandle SHPAPI_CALL SHPOpenLL(const char *pszLayer, const char *pszAccess, /* Read the file size from the SHP file. */ /* -------------------------------------------------------------------- */ unsigned char *pabyBuf = STATIC_CAST(unsigned char *, malloc(100)); - if (psSHP->sHooks.FRead(pabyBuf, 100, 1, psSHP->fpSHP) != 1) + if (!pabyBuf || psSHP->sHooks.FRead(pabyBuf, 100, 1, psSHP->fpSHP) != 1) { psSHP->sHooks.Error(".shp file is unreadable, or corrupt."); psSHP->sHooks.FClose(psSHP->fpSHP); @@ -661,6 +674,8 @@ int SHPAPI_CALL SHPRestoreSHX(const char *pszLayer, const char *pszAccess, /* -------------------------------------------------------------------- */ const int nLenWithoutExtension = SHPGetLenWithoutExtension(pszLayer); char *pszFullname = STATIC_CAST(char *, malloc(nLenWithoutExtension + 5)); + if (!pszFullname) + return 0; memcpy(pszFullname, pszLayer, nLenWithoutExtension); memcpy(pszFullname + nLenWithoutExtension, ".shp", 5); SAFile fpSHP = psHooks->FOpen(pszFullname, pszAccess, psHooks->pvUserData); @@ -674,12 +689,15 @@ int SHPAPI_CALL SHPRestoreSHX(const char *pszLayer, const char *pszAccess, { const size_t nMessageLen = strlen(pszFullname) * 2 + 256; char *pszMessage = STATIC_CAST(char *, malloc(nMessageLen)); - - pszFullname[nLenWithoutExtension] = 0; - snprintf(pszMessage, nMessageLen, "Unable to open %s.shp or %s.SHP.", - pszFullname, pszFullname); - psHooks->Error(pszMessage); - free(pszMessage); + if (pszMessage) + { + pszFullname[nLenWithoutExtension] = 0; + snprintf(pszMessage, nMessageLen, + "Unable to open %s.shp or %s.SHP.", pszFullname, + pszFullname); + psHooks->Error(pszMessage); + free(pszMessage); + } free(pszFullname); @@ -717,11 +735,14 @@ int SHPAPI_CALL SHPRestoreSHX(const char *pszLayer, const char *pszAccess, { size_t nMessageLen = strlen(pszFullname) * 2 + 256; char *pszMessage = STATIC_CAST(char *, malloc(nMessageLen)); - pszFullname[nLenWithoutExtension] = 0; - snprintf(pszMessage, nMessageLen, - "Error opening file %s.shx for writing", pszFullname); - psHooks->Error(pszMessage); - free(pszMessage); + if (pszMessage) + { + pszFullname[nLenWithoutExtension] = 0; + snprintf(pszMessage, nMessageLen, + "Error opening file %s.shx for writing", pszFullname); + psHooks->Error(pszMessage); + free(pszMessage); + } psHooks->FClose(fpSHP); @@ -736,6 +757,15 @@ int SHPAPI_CALL SHPRestoreSHX(const char *pszLayer, const char *pszAccess, /* -------------------------------------------------------------------- */ psHooks->FSeek(fpSHP, 100, 0); char *pabySHXHeader = STATIC_CAST(char *, malloc(100)); + if (!pabySHXHeader) + { + psHooks->FClose(fpSHP); + + free(pabyBuf); + free(pszFullname); + + return (0); + } memcpy(pabySHXHeader, pabyBuf, 100); psHooks->FWrite(pabySHXHeader, 100, 1, fpSHX); free(pabyBuf); @@ -978,11 +1008,21 @@ SHPHandle SHPAPI_CALL SHPCreate(const char *pszLayer, int nShapeType) SHPHandle SHPAPI_CALL SHPCreateLL(const char *pszLayer, int nShapeType, const SAHooks *psHooks) { + + SHPHandle psSHP = STATIC_CAST(SHPHandle, calloc(1, sizeof(SHPInfo))); + if (!psSHP) + return SHPLIB_NULLPTR; + /* -------------------------------------------------------------------- */ /* Open the two files so we can write their headers. */ /* -------------------------------------------------------------------- */ const int nLenWithoutExtension = SHPGetLenWithoutExtension(pszLayer); char *pszFullname = STATIC_CAST(char *, malloc(nLenWithoutExtension + 5)); + if (!pszFullname) + { + free(psSHP); + return SHPLIB_NULLPTR; + } memcpy(pszFullname, pszLayer, nLenWithoutExtension); memcpy(pszFullname + nLenWithoutExtension, ".shp", 5); SAFile fpSHP = psHooks->FOpen(pszFullname, "w+b", psHooks->pvUserData); @@ -994,6 +1034,7 @@ SHPHandle SHPAPI_CALL SHPCreateLL(const char *pszLayer, int nShapeType, psHooks->Error(szErrorMsg); free(pszFullname); + free(psSHP); return SHPLIB_NULLPTR; } @@ -1008,6 +1049,7 @@ SHPHandle SHPAPI_CALL SHPCreateLL(const char *pszLayer, int nShapeType, free(pszFullname); psHooks->FClose(fpSHP); + free(psSHP); return SHPLIB_NULLPTR; } @@ -1062,6 +1104,7 @@ SHPHandle SHPAPI_CALL SHPCreateLL(const char *pszLayer, int nShapeType, free(pszFullname); psHooks->FClose(fpSHP); psHooks->FClose(fpSHX); + free(psSHP); return SHPLIB_NULLPTR; } @@ -1086,11 +1129,10 @@ SHPHandle SHPAPI_CALL SHPCreateLL(const char *pszLayer, int nShapeType, free(pszFullname); psHooks->FClose(fpSHP); psHooks->FClose(fpSHX); + free(psSHP); return SHPLIB_NULLPTR; } - SHPHandle psSHP = STATIC_CAST(SHPHandle, calloc(1, sizeof(SHPInfo))); - psSHP->bUpdated = FALSE; memcpy(&(psSHP->sHooks), psHooks, sizeof(SAHooks)); @@ -1191,6 +1233,8 @@ SHPObject SHPAPI_CALL1(*) { SHPObject *psObject = STATIC_CAST(SHPObject *, calloc(1, sizeof(SHPObject))); + if (!psObject) + return SHPLIB_NULLPTR; psObject->nSHPType = nSHPType; psObject->nShapeId = nShapeId; psObject->bMeasureIsUsed = FALSE; @@ -1235,6 +1279,13 @@ SHPObject SHPAPI_CALL1(*) STATIC_CAST(int *, calloc(psObject->nParts, sizeof(int))); psObject->panPartType = STATIC_CAST(int *, malloc(sizeof(int) * psObject->nParts)); + if (!psObject->panPartStart || !psObject->panPartType) + { + free(psObject->panPartStart); + free(psObject->panPartType); + free(psObject); + return SHPLIB_NULLPTR; + } psObject->panPartStart[0] = 0; psObject->panPartType[0] = SHPP_RING; @@ -1271,6 +1322,18 @@ SHPObject SHPAPI_CALL1(*) psObject->padfM = STATIC_CAST( double *, padfM &&bHasM ? malloc(nSize) : calloc(nVertices, sizeof(double))); + if (!psObject->padfX || !psObject->padfY || !psObject->padfZ || + !psObject->padfM) + { + free(psObject->panPartStart); + free(psObject->panPartType); + free(psObject->padfX); + free(psObject->padfY); + free(psObject->padfZ); + free(psObject->padfM); + free(psObject); + return SHPLIB_NULLPTR; + } if (padfX != SHPLIB_NULLPTR) memcpy(psObject->padfX, padfX, nSize); if (padfY != SHPLIB_NULLPTR) @@ -2123,6 +2186,11 @@ SHPObject SHPAPI_CALL1(*) SHPReadObject(const SHPHandle psSHP, int hEntity) else { psShape = STATIC_CAST(SHPObject *, calloc(1, sizeof(SHPObject))); + if (!psShape) + { + psSHP->sHooks.Error("Out of memory."); + return SHPLIB_NULLPTR; + } } psShape->nShapeId = hEntity; psShape->nSHPType = nSHPType; diff --git a/ogr/ogrsf_frmts/shape/shptree.c b/ogr/ogrsf_frmts/shape/shptree.c index ef89e00a8a79..6a7559a1eae4 100644 --- a/ogr/ogrsf_frmts/shape/shptree.c +++ b/ogr/ogrsf_frmts/shape/shptree.c @@ -678,6 +678,8 @@ SHPTreeDiskHandle SHPOpenDiskTree(const char *pszQIXFilename, hDiskTree = STATIC_CAST(SHPTreeDiskHandle, calloc(1, sizeof(struct SHPDiskTreeInfo))); + if (!hDiskTree) + return SHPLIB_NULLPTR; if (psHooks == SHPLIB_NULLPTR) SASetupDefaultHooks(&(hDiskTree->sHooks));