id summary reporter owner description type status priority milestone component version severity resolution keywords cc 5203 Integer overflows in rasterfill.cpp akhliustov warmerdam "1. http://trac.osgeo.org/gdal/browser/trunk/gdal/alg/rasterfill.cpp#L571 [[BR]][[BR]] {{{if( iY - panLastY[iX] <= dfMaxSearchDist )}}} [[BR]][[BR]] {{{panLastY[iX]}}} is unsigned, so {{{iY - panLastY[iX]}}} is unsigned too. If {{{iY < panLastY[iX]}}}, their ""difference"" is a large positive number that can be greater than {{{dfMaxSearchDist}}}. In that case the condition evaluates to {{{false}}}, which is (probably) not expected. 2. http://trac.osgeo.org/gdal/browser/trunk/gdal/alg/rasterfill.cpp#L333 [[BR]][[BR]] {{{double dfDistSq = ((target_x-origin_x) * (target_x-origin_x)) + ((target_y-origin_y) * (target_y-origin_y));}}} [[BR]][[BR]] The right-hand expression here can have overflow on small enough input (I will try to attach it ASAP)." defect closed normal 1.10.1 Algorithms unspecified normal fixed