Opened 16 years ago
Closed 16 years ago
#2218 closed defect (fixed)
[PATCH - shapelib] Fix crashes on corrupted geometries
| Reported by: | Even Rouault | Owned by: | Even Rouault |
|---|---|---|---|
| Priority: | low | Milestone: | 1.6.0 |
| Component: | OGR_SF | Version: | unspecified |
| Severity: | normal | Keywords: | shape |
| Cc: |
Description
The attached patch adds checks to SHPReadObject so that hostile/corrupted geometries in a shape entity don't cause shapelib to read memory outside of the declared entity size and pabyRec buffer.
I've attached too a zip file containing a few volontary corrupted shapefiles to demonstrate the crashes (or Valgrind errors) and the fix.
Attachments (2)
Change History (7)
comment:1 by , 16 years ago
by , 16 years ago
| Attachment: | buggyshape.zip added |
|---|
by , 16 years ago
| Attachment: | shapelib_fix_crash_on_buggy_geometries.patch added |
|---|
comment:2 by , 16 years ago
| Milestone: | → 1.5.1 |
|---|---|
| Priority: | normal → high |
| Status: | new → assigned |
I'll try to incorporate this for 1.5.1.
comment:3 by , 16 years ago
| Milestone: | 1.5.1 → 1.6.0 |
|---|---|
| Priority: | high → low |
comment:4 by , 16 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
I will take care of adding test cases in gdalautotest. There will be based on the shapefiles in the buggyshape.zip archive
comment:5 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
ogr_shape_21 test added in r14015
Note:
See TracTickets
for help on using tickets.
Patch updated that also checks for two big number of points or parts that would cause arithmetic computation overflow, and another test that checks that the panPartStart array is correct (checks of the indices wrt the number of points and that they appear in increasing orders).
ZIP also updated to add another shape that demonstrates the checks on panPartStart.