Opened 12 years ago

Closed 12 years ago

#1768 closed defect (fixed)

Uninitialized memory in WMS driver's gdalhttp.c

Reported by: Daniel Morissette Owned by: Daniel Morissette
Priority: normal Milestone: 1.5.0
Component: default Version: svn-trunk
Severity: normal Keywords:
Cc: nowakpl

Description

Valgrind reports the following when running gdaltranslate on a WMS data source:

==10260== Conditional jump or move depends on uninitialised value(s)
==10260==    at 0x416A022: CPLHTTPFetchMulti(CPLHTTPRequest*, int) (gdalhttp.cpp:189)
==10260==    by 0x4236660: GDALWMSRasterBand::IReadBlock(int, int, void*) (rasterband.cpp:116)
==10260==    by 0x4290D60: GDALRasterBand::GetLockedBlockRef(int, int, int) (gdalrasterband.cpp:1087)
==10260==    by 0x42A37D2: GDALRasterBand::IRasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int) (rasterio.cpp:89)
==10260==    by 0x4235D1E: GDALWMSRasterBand::IRasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int) (rasterband.cpp:168)
==10260==    by 0x428F92F: GDALRasterBand::RasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int) (gdalrasterband.cpp:225)
==10260==    by 0x42334CF: PNGCreateCopy(char const*, GDALDataset*, int, char**, int (*)(double, char const*, void*), void*) (pngdataset.cpp:1131)
==10260==    by 0x427E705: GDALDriver::CreateCopy(char const*, GDALDataset*, int, char**, int (*)(double, char const*, void*), void*) (gdaldriver.cpp:406)
==10260==    by 0x427E8CB: GDALCreateCopy (gdaldriver.cpp:445)
==10260==    by 0x804B37C: ProxyMain(int, char**) (gdal_translate.cpp:575)
==10260==    by 0x804BEFF: main (gdal_translate.cpp:865)

Change History (2)

comment:1 Changed 12 years ago by Daniel Morissette

Status: newassigned

comment:2 Changed 12 years ago by Daniel Morissette

Resolution: fixed
Status: assignedclosed

The problem was that psRequest->m_curl_error was malloc'd but was not initialized (i.e. null-terminated) so the test on (psRequest->m_curl_error[0] != '\0') at the end of CPLHTTPFetchMulti() was reading uninitialized memory.

Fixed in r11974 by setting psRequest->m_curl_error[0] = '\0' after allocating the buffer.

Note: See TracTickets for help on using tickets.