Opened 15 years ago
Closed 15 years ago
#3 closed defect (fixed)
[PATCH] Fix stack buffer overflow in GTIFGetProj4Defn()
| Reported by: | rouault | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | libgeotiff | Version: | |
| Keywords: | Cc: |
Description
A stack buffer overflow can occur if psDefn->UOMLengthInMeters has a big non fractionnal part (for example 123456789.12345678).
Patch :
Index: frmts/gtiff/libgeotiff/geotiff_proj4.c
===================================================================
--- frmts/gtiff/libgeotiff/geotiff_proj4.c (révision 15995)
+++ frmts/gtiff/libgeotiff/geotiff_proj4.c (copie de travail)
@@ -161,7 +161,8 @@
}
else
{
- sprintf( szUnits, "+to_meter=%.10f", psDefn->UOMLengthInMeters );
+ snprintf( szUnits, sizeof(szUnits), "+to_meter=%.10f", psDefn->UOMLengthInMeters );
+ szUnits[sizeof(szUnits)-1] = '\0';
}
/* -------------------------------------------------------------------- */
Note:
See TracTickets
for help on using tickets.
The sprintf() page suggests it is a C99 function and I'm hesitant to depend on C99 functions in libgeotiff. Instead I have just increased the size of szUnits (r1502) even though it is not a proper solution of the problem.