Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#4481 closed defect (worksforme)

PostGIS Raster driver: buffer overflow

Reported by: strk Owned by: jorgearevalo
Priority: high Milestone: 1.10.0
Component: GDAL_Raster Version: svn-trunk
Severity: critical Keywords: postgis_raster, postgisraster, wktraster
Cc: jorgearevalo

Description 

gdal_translate -of NTv2 PG:"dbname='strk' table='chenyx06a' column='rast_shift_wgs84'" -b 1 -b 2 -b 3 -b 4 CHENYX06a_shift.gsb
Input file size is 661, 313
0*** buffer overflow detected ***: gdal_translate terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fbebb159217]
/lib/libc.so.6(+0xfe0d0)[0x7fbebb1580d0]
/usr/local/lib/libgdal.so(_ZN20PostGISRasterDataset9IRasterIOE10GDALRWFlagiiiiPvii12GDALDataTypeiPiiii+0x39d)[0x7fbebefd552d]
/usr/local/lib/libgdal.so(_ZN11GDALDataset8RasterIOE10GDALRWFlagiiiiPvii12GDALDataTypeiPiiii+0x579)[0x7fbebf0bd4b9]
/usr/local/lib/libgdal.so(GDALDatasetCopyWholeRaster+0x4b3)[0x7fbebf0efc53]
/usr/local/lib/libgdal.so(_ZN10GDALDriver17DefaultCreateCopyEPKcP11GDALDatasetiPPcPFidS1_PvES6_+0x43a)[0x7fbebf0c430a]
/usr/local/lib/libgdal.so(_ZN10GDALDriver10CreateCopyEPKcP11GDALDatasetiPPcPFidS1_PvES6_+0x15a)[0x7fbebf0c471a]
gdal_translate[0x4052d5]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fbebb078c4d]
gdal_translate[0x402679]

This is GDAL svn r23827 (1.9.0)

There seems to be a fair amount of bugs for postgis raster driver already, could it be worth a trac component ?

Change History (15)

comment:1 by strk, 12 years ago

Valgrind say on the matter: 

**29889** *** strcpy_chk: buffer overflow detected ***: program terminated
==29889==    at 0x4C29F83: VALGRIND_PRINTF_BACKTRACE (valgrind.h:4214)
==29889==    by 0x4C2A140: __strcpy_chk (mc_replace_strmem.c:757)
==29889==    by 0x532952C: PostGISRasterDataset::IRasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int*, int, int, int) (string3.h:107)
==29889==    by 0x54114B8: GDALDataset::RasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int*, int, int, int) (gdaldataset.cpp:1738)
==29889==    by 0x5443C52: GDALDatasetCopyWholeRaster (rasterio.cpp:2943)
==29889==    by 0x5418309: GDALDriver::DefaultCreateCopy(char const*, GDALDataset*, int, char**, int (*)(double, char const*, void*), void*) (gdaldriver.cpp:511)
==29889==    by 0x5418719: GDALDriver::CreateCopy(char const*, GDALDataset*, int, char**, int (*)(double, char const*, void*), void*) (gdaldriver.cpp:630)

comment:2 by Even Rouault, 12 years ago

Cc: jorgearevalo added
Keywords: postgisraster added

CC'ing Jorge. I'm not sure of his availability to address tickets. Perhaps there's place for other contributors to help (co-)maintaining the driver.

comment:3 by jorgearevalo, 12 years ago

Owner: changed from warmerdam to jorgearevalo
Status: newassigned

Hi,I have access to see the tickets. I'm currently looking for help to co-maintain the driver. I think I'll have a response next week. Thanks for the report.

Anyway, I think the right place to put the bugs related with the driver is the GDAL trac. I use it too.

comment:4 by dzwarg, 12 years ago

Hello strk,

In your test case, what is your SRID of your raster? Is this the trunk version of postgis raster?

comment:5 by strk, 12 years ago

@dzwarg: SRID is 4326, it is postgis raster trunk. The segfault is in GDAL, which should survive whatever PostGIS bug anyway.

comment:6 by dzwarg, 12 years ago

strk-

Yes, agreed that it's a gdal bug. I asked about postgis because the GDAL code checks SRID against -1 at one point near a strcpy. Wasn't there discussion about changing the default SRID from -1 to 0?

comment:7 by dzwarg, 12 years ago

These log messages fly by so fast, I had missed these. Touching postgisrasterdataset.cpp and performing 'make', the log reveals:

... In file included from /usr/include/string.h:642:0,

from /usr/local/src/gdal-svn/gdal/port/cpl_port.h:132, from /usr/local/src/gdal-svn/gdal/gcore/gdal.h:41, from /usr/local/src/gdal-svn/gdal/gcore/gdal_priv.h:53, from postgisraster.h:30, from postgisrasterdataset.cpp:33:

In function 'char* strcpy(char*, const char*)',

inlined from 'virtual CPLErr PostGISRasterDataset::IRasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int*, int, int, int)' at postgisrasterdataset.cpp:1013:32:

/usr/include/x86_64-linux-gnu/bits/string3.h:105:63: warning: call to char* builtin_strcpy_chk(char*, const char*, long unsigned int) will always overflow destination buffer [enabled by default] In function 'char* strcpy(char*, const char*)',

inlined from 'virtual CPLErr PostGISRasterDataset::IRasterIO(GDALRWFlag, int, int, int, int, void*, int, int, GDALDataType, int, int*, int, int, int)' at postgisrasterdataset.cpp:1017:37:

/usr/include/x86_64-linux-gnu/bits/string3.h:105:63: warning: call to char* builtin_strcpy_chk(char*, const char*, long unsigned int) will always overflow destination buffer [enabled by default] ...

comment:8 by jorgearevalo, 12 years ago

Try with make &>make_output.log, to dump the make output to a file.

comment:9 by pracine, 12 years ago

Keywords: postgis_raster added; postgisraster removed

comment:10 by jorgearevalo, 12 years ago

Milestone: 1.9.1
Priority: normalhigh

comment:11 by Mateusz Łoskot, 12 years ago

Keywords: postgisraster wktraster added

comment:12 by jorgearevalo, 12 years ago

Could you give it a try with the new trunk version just commited?

comment:13 by strk, 12 years ago

Cannot test before mid September, and honestly I'm not sure I'll remember to. I'd trust valgrind on the matter. Otherwise ping me back in a couple of weeks. Thanks!

comment:14 by jorgearevalo, 12 years ago

Resolution: worksforme
Status: assignedclosed

I can't reproduce this problem. The method shown in the log (PostGISRasterDataset::IRasterIO) has been deleted. It shouldn't happen anymore. I close the ticket. If the problem persists, don't hesitate to re-open it.

comment:15 by jorgearevalo, 12 years ago

Milestone: 1.9.12.0.0
Note: See TracTickets for help on using tickets.