id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 27,[PATCH] Avoids out of bound array access when gt_num_keys is too big,rouault,warmerdam,"With the attached file, I get the following Valgrind warning : {{{ ==20574== Invalid read of size 2 ==20574== at 0x5052B80: GTIFNewWithMethods (geo_new.c:211) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210) ==20574== Address 0xe4b07d8 is 0 bytes after a block of size 2,008 alloc'd ==20574== at 0x4C23082: realloc (vg_replace_malloc.c:429) ==20574== by 0x5052A82: GTIFNewWithMethods (geo_new.c:114) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210) }}} This is due to the loop in geo_new.c around line 176: {{{ entptr = ((KeyEntry *)data) + 1; [snip] for (index=1; index<=count; index++,entptr++) { if (!ReadKey(gt, &tempData, entptr, ++keyptr)) goto failure; /* Set up the index (start at 1, since 0=unset) */ gt->gt_keyindex[entptr->ent_key] = index; } }}} So, the data array must hold at least ""(count+1) * sizeof(KeyEntry)"" bytes. data is allocated to have ""(4+MAX_VALUES)*sizeof(pinfo_t)"" bytes (lines 103 and 114), hence the test in the patch",defect,closed,normal,,libgeotiff,,fixed,,