Ticket #2196 (closed defect: fixed)

Opened 3 months ago

Last modified 3 months ago

NetCDF driver segfaults when reading large attributes

Reported by: mariocruz Assigned to: warmerdam
Priority: normal Milestone: 1.4.5
Component: GDAL_Raster Version: 1.4.4
Severity: normal Keywords: netcdf
Cc:

Description

The NetCDF driver current implementation assumes that the length of an attribute string representation never exceeds MAX_STR_LEN characters. This assumption, together with the liberal use of strcpy/strcat causes a segfault when reading files whose attribute representation is larger than this fixed value.

The attached patch is a proposed (simple) fix for the problem which removes the length limit and allocates memory as needed by using a wrapper function around strcat.

Bug exists at least in versions 1.4.2, 1.4.4 and 1.5.0. Patched against the 1.5.0 source.

Attachments

netcdf.patch (5.8 kB) - added by mariocruz on 02/05/08 10:54:20.
netcdfdataset.cpp and netcdfdataset.h patch
netcdf.1.4.4.patch (5.8 kB) - added by mariocruz on 02/06/08 04:25:35.
netcdfdataset.cpp and netcdfdataset.h patch (1.4 branch)

Change History

02/05/08 10:54:20 changed by mariocruz

  • attachment netcdf.patch added.

netcdfdataset.cpp and netcdfdataset.h patch

02/05/08 12:40:11 changed by warmerdam

  • status changed from new to closed.
  • component changed from default to GDAL_Raster.
  • resolution set to fixed.
  • milestone set to 1.5.1.

Mario,

I applied the patch and tested with valgrind and discovered we needed to add +1 in the size test to ensure we have room for the string terminating zero byte. The slightly adapted patch has been applied in trunk (r13698) and 1.5 (r13699). The patch doesn't apply cleanly in 1.4 branch so I'm going to skip addressing it there.

Thanks!

02/06/08 04:25:35 changed by mariocruz

  • attachment netcdf.1.4.4.patch added.

netcdfdataset.cpp and netcdfdataset.h patch (1.4 branch)

02/06/08 04:29:56 changed by mariocruz

I'm actually still using the 1.4 branch in my project and therefore would have some interest in having it also changed, so I've attached a patch created against the 1.4.4 version of the source (+1 size corrected already, thanks for pointing out that bug).

Not reopening the ticket though, as the issue has been solved for non-legacy versions.

02/06/08 10:11:13 changed by warmerdam

  • status changed from closed to reopened.
  • version changed from 1.5.0 to 1.4.4.
  • resolution deleted.
  • milestone changed from 1.5.1 to 1.4.5.

02/06/08 10:17:04 changed by warmerdam

  • status changed from reopened to closed.
  • resolution set to fixed.

Patch applied in 1.4 branch (r13712).