Opened 10 years ago
Closed 10 years ago
#5567 closed defect (fixed)
Buffer underflow in GDAL 1.11 using /vsistdin/
| Reported by: | tlwest | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.11.1 |
| Component: | default | Version: | 1.11.0 |
| Severity: | normal | Keywords: | vsistdin |
| Cc: |
Description
This causes a crash when GDAL 1.11 is compiled under Windows (64-bit), but I suspect it underflows unnoticably under Unix.
When using the command:
gdalsrsinfo /vsistdin/ < ...
I get a buffer underflow occurs in:
gdalsrsinfo.exe!main(int argc, char * * argv) Line 227 gdalsrsinfo.exe!FindSRS(const char * pszInput, OGRSpatialReference & oSRS) Line 383
gdal111.dll!OGRSFDriverRegistrar::Open(char const *,int,class OGRSFDriver * *) gdal111.dll!OGRTigerDriver::Open(char const *,int) gdal111.dll!OGRTigerDataSource::Open(char const *,int,char * *)
(Note, the line numbers may be slightly off due to some debugging output statements)
The code for Open in ogrtigerdatasource.cpp has the following around line 317:
if( VSI_ISREG(stat.st_mode) ) {
char szModule[128];
pszPath = CPLStrdup( CPLGetPath(pszFilename) );
strncpy( szModule, CPLGetFilename(pszFilename), sizeof(szModule)-1 );
/* Make sure the buffer is 0 terminated */
szModule[sizeof(szModule)-1] = '\0';
/* And now remove last character of filename */
szModule[strlen(szModule)-1] = '\0';
Unfortunately, when pszFilename is "/vsistdin/", CPLGetFilename(pszFilename) return an empty string, setting szModule to an empty string. This the last line sets index -1 of the string to \0. Under Windows, this causes a buffer underflow error and immediate crash.
(Note, I'm now aware that /vsistdin/ doesn't seem to work with gdalsrsinfo, but it's still a potential crash in the tiger module.)
Change History (1)
comment:1 by , 10 years ago
| Milestone: | → 1.11.1 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
trunk r27514, branches/1.11 r27515: "Fix potential buffer underflow when providing /vsistdin/ to Tiger driver (#5567)"