Ticket #27 (closed defect: fixed)
[PATCH] Avoids out of bound array access when gt_num_keys is too big
| Reported by: | rouault | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Component: | libgeotiff |
| Version: | Keywords: | ||
| Cc: |
Description
With the attached file, I get the following Valgrind warning :
==20574== Invalid read of size 2 ==20574== at 0x5052B80: GTIFNewWithMethods (geo_new.c:211) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210) ==20574== Address 0xe4b07d8 is 0 bytes after a block of size 2,008 alloc'd ==20574== at 0x4C23082: realloc (vg_replace_malloc.c:429) ==20574== by 0x5052A82: GTIFNewWithMethods (geo_new.c:114) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210)
This is due to the loop in geo_new.c around line 176:
entptr = ((KeyEntry *)data) + 1;
[snip]
for (index=1; index<=count; index++,entptr++)
{
if (!ReadKey(gt, &tempData, entptr, ++keyptr))
goto failure;
/* Set up the index (start at 1, since 0=unset) */
gt->gt_keyindex[entptr->ent_key] = index;
}
So, the data array must hold at least "(count+1) * sizeof(KeyEntry?)" bytes. data is allocated to have "(4+MAX_VALUES)*sizeof(pinfo_t)" bytes (lines 103 and 114), hence the test in the patch
Attachments
-
ticket_geotiff_27.tif
(0.7 KB) - added by rouault
3 years ago.
-
patch_geotiff_27.patch
(0.5 KB) - added by rouault
3 years ago.
Change History
Note: See
TracTickets for help on using
tickets.
