Skip to content

Bug: Fix memory leak on param handling#7539

Merged
geographika merged 4 commits into
MapServer:mainfrom
arthurscchan:fix-memleak
Jul 3, 2026
Merged

Bug: Fix memory leak on param handling#7539
geographika merged 4 commits into
MapServer:mainfrom
arthurscchan:fix-memleak

Conversation

@arthurscchan

Copy link
Copy Markdown
Contributor

When a parameter is matched, its value is duplicated and stored in the param object, overwriting any existing value without first freeing the previously allocated pointer. This causes a direct memory leak whenever the same parameter name appears more than once in a request.

This PR fixes the leak by always clearing the target pointer before assigning the new value during each parameter's processing. The change is safe even for null pointers, as msFree() accepts a null pointer and is a no-op in that case.

This memory leak is discovered by the new fuzzer introduced in #7525.

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
@jmckenna jmckenna added this to the 8.8.0 Release milestone Jun 24, 2026
@geographika

Copy link
Copy Markdown
Member

I checked how this was handled for other services. For WFS a helper function is used:

static int msWFSSetParam(char **ppszOut, cgiRequestObj *request, int i,
                         const char *pszExpectedParamName) {
  if (strcasecmp(request->ParamNames[i], pszExpectedParamName) == 0) {
    if (*ppszOut == NULL)
      *ppszOut = msStrdup(request->ParamValues[i]);
    return 1;
  }
  return 0;
}


//        if (msWFSSetParam(&(wfsparams->pszVersion), request, i, "VERSION")) {}

This has slightly different logic as it keeps the first parameter supplied in the querystring. We should also add some tests for duplicated parameters.

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
@arthurscchan

Copy link
Copy Markdown
Contributor Author

I have changed the logic mirror the msWFSSetParam approach.

@geographika geographika added the backport branch-8-6 To backport a pull request to branch-8-6 label Jul 1, 2026
@rouault

rouault commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

just pushed in https://github.com/arthurscchan/MapServer/tree/fix-memleak a modified msautotest check exercising duplicated parameters in WCS queries

@geographika geographika merged commit d32331f into MapServer:main Jul 3, 2026
17 checks passed
# RUN_PARMS: wcs_cap.xml [MAPSERV] QUERY_STRING="map=[MAPFILE]&SERVICE=WCS&VERSION=1.0.0&REQUEST=GetCapabilities" > [RESULT_DEVERSION] [RESULT_DEMIME]
# RUN_PARMS: wcs_cap.txt [MAPSERV] QUERY_STRING="map=[MAPFILE]&SERVICE=WCS&VERSION=1.0.0&REQUEST=GetCapabilities" > [RESULT_DEVERSION] [RESULT]
# Also test duplicated parameter not to cause memory leak
# RUN_PARMS: wcs_cap.txt [MAPSERV] QUERY_STRING="map=[MAPFILE]&SERVICE=WCS&VERSION=1.0.0&VERSION=1.0.0&REQUEST=GetCapabilities" > [RESULT_DEVERSION] [RESULT]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we test also `&VERSION=1.0.0&VERSION=2.0.0, if the aim is to keep just the first parameter value?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes probably best to have a test that confirms this. I'm not sure what the spec says about this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport branch-8-6 To backport a pull request to branch-8-6

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants