Ticket #2075 (closed enhancement: fixed)

Opened 8 months ago

Last modified 6 months ago

[PATCH] Add VSISafeMul2, etc. functions to detect overflows

Reported by: rouault Assigned to: rouault
Priority: normal Milestone: 1.6.0
Component: default Version: svn-trunk
Severity: normal Keywords: overflow memory allocation
Cc: warmerdam, mloskot

Description

In GDAL, we frequently do things like VSIMalloc(nXSize * nYSize * sizeof(float)). If nXSize and nYSize are big enough and well choosen, the result can be a moderate value, and VSIMalloc can return a non-NULL pointer. However, the memory buffer will probably be overrun in later operations.

The first patch gdal_svn_trunk_vsi_safe_mul.patch adds new API to do safe multiplications with overflow checking. The second patch uses these new API in gdal/gcore. The third patch uses these new API in gdal/frmts. Note that it only uses these new API at places where VSIMalloc/VSICalloc are already used. Drivers using CPLMalloc/CPLCalloc would crash on big allocations and should be modified to use VSIMalloc/VSICalloc, but that's a much bigger effort.

Attachments

gdal_svn_trunk_use_vsi_safe_mul_in_gcore.patch (4.5 kB) - added by rouault on 12/08/07 12:34:20.
Use of new API in gdal/gcore
gdal_svn_trunk_vsi_safe_mul.patch (4.1 kB) - added by rouault on 12/08/07 13:44:43.
gdal_svn_trunk_use_vsi_safe_mul_in_frmts.patch (17.8 kB) - added by rouault on 12/08/07 16:23:46.
Use of new API in gdal/frmts

Change History

12/08/07 12:34:20 changed by rouault

  • attachment gdal_svn_trunk_use_vsi_safe_mul_in_gcore.patch added.

Use of new API in gdal/gcore

12/08/07 13:24:55 changed by nowakpl

root@r0:~# cat malloc_test.cpp #include <stdio.h> #include <stdlib.h>

int main() {

printf("%p\n", malloc(0)); return 0;

} root@r0:~# ./malloc_test 0x804a008

So if you use VSIMalloc(VSISafeMul2(x, y)), VSISafeMul2 will return 0, VSIMalloc will allocate 0 bytes and the code that used it will think everything is ok.

VSISafeSizetCastToInt has hardcoded int size + returns correct int value on error.

12/08/07 13:43:56 changed by rouault

gdal_svn_trunk_vsi_safe_mul.patch updated so that VSIMalloc/Calloc/Realloc return NULL when size is 0.

12/08/07 13:44:43 changed by rouault

  • attachment gdal_svn_trunk_vsi_safe_mul.patch added.

12/08/07 16:23:46 changed by rouault

  • attachment gdal_svn_trunk_use_vsi_safe_mul_in_frmts.patch added.

Use of new API in gdal/frmts

12/08/07 16:26:08 changed by rouault

I'm wondering if the change in VSIMalloc/Calloc/Realloc is not a bit too disruptive... I had to change hfa_band.cpp line 891 in order not to break hfa_write.py.

12/09/07 18:32:50 changed by warmerdam

  • milestone set to 1.6.0.

Even,

I'd be more comfortable holding this change to 1.6 at this point. Feel free to apply the patch once we have branched off a 1.5 branch.

12/19/07 16:33:54 changed by mloskot

  • cc changed from warmerdam to warmerdam, mloskot.

12/29/07 12:02:51 changed by rouault

A revised proposal of the patches is described in RFC 19.

01/08/08 17:22:37 changed by rouault

Changes commited in trunk in r13498, r13499 and r13500

01/27/08 11:50:42 changed by rouault

  • status changed from new to closed.
  • resolution set to fixed.