Ticket #2218 (closed defect: fixed)

Opened 3 months ago

Last modified 2 months ago

[PATCH - shapelib] Fix crashes on corrupted geometries

Reported by: rouault Assigned to: rouault
Priority: low Milestone: 1.6.0
Component: OGR_SF Version: unspecified
Severity: normal Keywords: shape
Cc:

Description

The attached patch adds checks to SHPReadObject so that hostile/corrupted geometries in a shape entity don't cause shapelib to read memory outside of the declared entity size and pabyRec buffer.

I've attached too a zip file containing a few volontary corrupted shapefiles to demonstrate the crashes (or Valgrind errors) and the fix.

Attachments

buggyshape.zip (2.4 kB) - added by rouault on 02/12/08 15:09:53.
shapelib_fix_crash_on_buggy_geometries.patch (11.4 kB) - added by rouault on 02/13/08 15:43:25.

Change History

02/12/08 15:09:39 changed by rouault

Patch updated that also checks for two big number of points or parts that would cause arithmetic computation overflow, and another test that checks that the panPartStart array is correct (checks of the indices wrt the number of points and that they appear in increasing orders).

ZIP also updated to add another shape that demonstrates the checks on panPartStart.

02/12/08 15:09:53 changed by rouault

  • attachment buggyshape.zip added.

02/13/08 15:43:25 changed by rouault

  • attachment shapelib_fix_crash_on_buggy_geometries.patch added.

03/12/08 17:46:53 changed by warmerdam

  • priority changed from normal to high.
  • status changed from new to assigned.
  • milestone set to 1.5.1.

I'll try to incorporate this for 1.5.1.

03/14/08 01:34:01 changed by warmerdam

  • priority changed from high to low.
  • milestone changed from 1.5.1 to 1.6.0.

Patch applied in Shapelib.

Patch downstreamed and applied in trunk (r14000) and 1.5 branch (r14001).

I would appreciate it if some sort of test case(s) could be added to the gdalautotest. Leaving open for that (in trunk only would be fine).

03/14/08 15:41:35 changed by rouault

  • status changed from assigned to new.
  • owner changed from warmerdam to rouault.

I will take care of adding test cases in gdalautotest. There will be based on the shapefiles in the buggyshape.zip archive

03/15/08 05:41:35 changed by rouault

  • status changed from new to closed.
  • resolution set to fixed.

ogr_shape_21 test added in r14015