Opened 12 years ago

Closed 12 years ago

#2196 closed defect (fixed)

NetCDF driver segfaults when reading large attributes

Reported by: mariocruz Owned by: warmerdam
Priority: normal Milestone: 1.4.5
Component: GDAL_Raster Version: 1.4.4
Severity: normal Keywords: netcdf
Cc:

Description

The NetCDF driver current implementation assumes that the length of an attribute string representation never exceeds MAX_STR_LEN characters. This assumption, together with the liberal use of strcpy/strcat causes a segfault when reading files whose attribute representation is larger than this fixed value.

The attached patch is a proposed (simple) fix for the problem which removes the length limit and allocates memory as needed by using a wrapper function around strcat.

Bug exists at least in versions 1.4.2, 1.4.4 and 1.5.0. Patched against the 1.5.0 source.

Attachments (2)

netcdf.patch (5.8 KB) - added by mariocruz 12 years ago.
netcdfdataset.cpp and netcdfdataset.h patch
netcdf.1.4.4.patch (5.8 KB) - added by mariocruz 12 years ago.
netcdfdataset.cpp and netcdfdataset.h patch (1.4 branch)

Download all attachments as: .zip

Change History (6)

Changed 12 years ago by mariocruz

Attachment: netcdf.patch added

netcdfdataset.cpp and netcdfdataset.h patch

comment:1 Changed 12 years ago by warmerdam

Component: defaultGDAL_Raster
Milestone: 1.5.1
Resolution: fixed
Status: newclosed

Mario,

I applied the patch and tested with valgrind and discovered we needed to add +1 in the size test to ensure we have room for the string terminating zero byte. The slightly adapted patch has been applied in trunk (r13698) and 1.5 (r13699). The patch doesn't apply cleanly in 1.4 branch so I'm going to skip addressing it there.

Thanks!

Changed 12 years ago by mariocruz

Attachment: netcdf.1.4.4.patch added

netcdfdataset.cpp and netcdfdataset.h patch (1.4 branch)

comment:2 Changed 12 years ago by mariocruz

I'm actually still using the 1.4 branch in my project and therefore would have some interest in having it also changed, so I've attached a patch created against the 1.4.4 version of the source (+1 size corrected already, thanks for pointing out that bug).

Not reopening the ticket though, as the issue has been solved for non-legacy versions.

comment:3 Changed 12 years ago by warmerdam

Milestone: 1.5.11.4.5
Resolution: fixed
Status: closedreopened
Version: 1.5.01.4.4

comment:4 Changed 12 years ago by warmerdam

Resolution: fixed
Status: reopenedclosed

Patch applied in 1.4 branch (r13712).

Note: See TracTickets for help on using tickets.