Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#6944 closed defect (fixed)

rdataset not detecting ridiculous string lengths and read gets stuck

Reported by: Kurt Schwehr Owned by: warmerdam
Priority: normal Milestone:
Component: default Version: unspecified
Severity: normal Keywords: r
Cc:

Description

This test file is full of ridiculous values. e.g. ReadInt? gets an nValue of 1631608512 for

        else if( nObjCode % 256 == R_STRSXP )
        {
            int nCount = poDS->ReadInteger();
            while( nCount-- > 0 && !VSIFEofL(poDS->fp) )
                poDS->ReadString();
        }

The vsigzip system gets stuck trying to read but never detects the end of file.

Detected by autofuzz

Attachments (1)

poc-f63a28e95e5b70c741ba626d42d195d411f7b983b869bc8a5aa8d14c5e5fdbfe (867 bytes) - added by Kurt Schwehr 4 months ago.
Malformed rdx gzipped file

Download all attachments as: .zip

Change History (6)

Changed 4 months ago by Kurt Schwehr

Malformed rdx gzipped file

comment:1 Changed 4 months ago by Even Rouault

Resolution: fixed
Status: newclosed

In 39305:

/vsigzip/: make Eof() detect end of stream when receive a Z_BUF_ERROR error. Fixes #6944. Detected by autofuzz

comment:2 Changed 4 months ago by Even Rouault

In 39307:

Test bug fix. Refs #6944

comment:3 Changed 4 months ago by Even Rouault

In 39308:

/vsigzip/: make Eof() detect end of stream when receive a Z_BUF_ERROR error. Fixes #6944. Detected by autofuzz

comment:4 Changed 4 months ago by Even Rouault

In 39309:

/vsigzip/: make Eof() detect end of stream when receive a Z_BUF_ERROR error. Fixes #6944. Detected by autofuzz

comment:5 Changed 4 months ago by Even Rouault

In 39317:

vsifile.py: fix memleak in test added for refs #6944

Note: See TracTickets for help on using tickets.