#4266 closed defect (fixed)
Grib driver can crash depending on level values
| Reported by: | ejones | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | GDAL_Raster | Version: | unspecified |
| Severity: | normal | Keywords: | grib |
| Cc: |
Description
This is something we had to change a while back to fix a crash problem, and would like to get this fix added to the official distribution.
In frmts/grib/degrib18/degrib/metaname.cpp, consider the following code from ParseLevelName:
char valBuff[20];
char sndBuff[20];
GRIB2SurfTable surf = Table45Index (surfType, &f_reserved, center,
subcenter);
/* Check if index is defined... 191 is undefined. */
free (*shortLevelName);
*shortLevelName = NULL;
free (*longLevelName);
*longLevelName = NULL;
sprintf (valBuff, "%f", value);
strTrimRight (valBuff, '0');
if (valBuff[strlen (valBuff) - 1] == '.') {
valBuff[strlen (valBuff) - 1] = '\0';
}
if (f_sndValue) {
sprintf (sndBuff, "%f", sndValue);
Note that sndBuff and valBuff are only declared with a max size of 20 characters, but then used with a format string of "%f" -- which always uses fixed notation, never scientific (unlike %g, which would use scientific notation if it were more compact). So if the value is 1e25, for example, it will print all 25 zeroes, overflowing the buffers.
We changed the sizes of sndBuff and valBuff to 512. I believe that would cover all possible output from %f, since the largest double precision floating point number is somewhere around 1e308.
Attachments (1)
Change History (3)
by , 13 years ago
| Attachment: | parse_level_name_patch.txt added |
|---|
comment:1 by , 13 years ago
| Component: | default → GDAL_Raster |
|---|---|
| Keywords: | grib added |
| Milestone: | → 1.8.2 |
| Resolution: | → fixed |
| Status: | new → closed |
Proposed patch