id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
1786	Buffer overflow in JPEG driver	mloskot	mloskot	"Today, hobu and me fixed buildbot on the [http://buildbot.osgeo.org:8500/epimetheus-quick epimetheus] slave and we found that ''autotest/gdrivers/jpeg.py'' test throws segmentation fault:

{{{
Running tests from gdrivers/jpeg.py
  TEST: jpeg_1 ... process killed by signal 11
}}}

No segmentation fault occurs on x86-32/64, neither on Linux nor on Windows.
 
I generated backtrace using gdb on epimetheus:

{{{
(gdb) run ./jpeg.py
Starting program: /usr/bin/python ./jpeg.py
Reading symbols for shared libraries .................... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries ............. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
  TEST: jpeg_1 ... JPEG: Magic: 0x4949 <little-endian> Version: 0x2a


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc0000000
0x90003040 in strcpy ()
(gdb) bt
#0  0x90003040 in strcpy ()
#1  0x02131064 in JPGDataset::EXIFPrintData (this=0x185a800, pszData=0xbffdeb6a ""02100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210""..., type=2, count=4, data=0xbffdeb66 ""02100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210021002100210""...) at jpgdataset.cpp:247
#2  0x021323b8 in JPGDataset::EXIFExtractMetadata (this=0x31303032, fp=0x31303032, nOffset=825241650) at jpgdataset.cpp:569
#3  0x31303032 in ?? ()
Cannot access memory at address 0x31303032
Cannot access memory at address 0x3130303a
}}}

The line jpgdataset.cpp::247 consits of the following call:

{{{
JPGDataset::EXIFPrintData(char* pszData, GUInt16 type, GUInt32 count, unsigned char* data)
{
....
sprintf(pszData, ""%s"", data); // <--- 247
...
}
}}}

On the Power PC machine, here, sprintf tries to write beyond the buffer and the segmentation fault. I replaced (r12054) sprintf with '''snprintf''' call to limit writing to size of the pszData buffer ('''count''' value):

{{{
snprintf(pszData, count, ""%s"", data); 
}}}

Technically, the bug '''seems''' to fixed now and no segmentation fault occurs anymore, but I'm not very familiar with JPEG driver, so I'm not sure if there is any logic error probable.

I'd be thankful if someone who knows JPEG driver could take a look at this fix and judge. Thanks!
"	defect	closed	high	1.4.3	GDAL_Raster	svn-trunk	critical	fixed	jpeg exif sprintf	warmerdam