MapServer Heap-Buffer-Overflow Vulnerability in SLD Parser Allowing Denial-of-Service

A heap-buffer-overflow vulnerability has been identified in MapServer versions 4.2 prior to 8.6.1. This issue arises in the Styled Layer Descriptor (SLD) parser, specifically within the 'Categorize' Threshold handling. The vulnerability allows a remote, unauthenticated attacker to crash the MapServer process by sending a specially crafted SLD that contains more than 100 Threshold elements within a ColorMap/Categorize structure. This scenario is commonly encountered via WMS GetMap requests that include SLD_BODY.

Impact

Exploitation of this vulnerability leads to a heap-based memory corruption, causing a buffer overflow that is typically exploited to crash the MapServer process, resulting in a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating an SLD file that includes over 100 Threshold elements in a ColorMap/Categorize structure. This crafted SLD can then be uploaded to a MapServer instance that accepts SLD_BODY via WMS GetMap requests. The MapServer process will crash, demonstrating the denial-of-service impact of the vulnerability.

Remediation

Users are advised to upgrade to MapServer version 8.6.1, which addresses this vulnerability. The release can be downloaded from the MapServer GitHub repository.