Opened 14 years ago

Closed 14 years ago

#2934 closed defect (fixed)

Memory overwrite while zooming an ECW image

Reported by: oren Owned by: warmerdam
Priority: normal Milestone: 1.6.1
Component: GDAL_Raster Version: unspecified
Severity: normal Keywords: ECW


Symptom: When calling GDALRasterIO() with a target region larger than the source region (the super sampling case), it causes a memory overwrite.

Solution: In ECWRasterBand::IRasterIO(), “ecwdataset.cpp”, line 446 - change the last parameter of memcpy() from “nLineSpace” to “nBufXSize * nPixelSpace”.

Change History (4)

comment:1 by warmerdam, 14 years ago

Keywords: ECW added
Status: newassigned

comment:2 by warmerdam, 14 years ago

Priority: highestnormal


I tried forcing supersampling with a command like:

gdal_translate -srcwin 0 0 8101 600 -outsize 9000 700 ClearLake.ecw out.tif

and amoung other things this reported:

ECWRasterBand: RasterIO(nXOff=0,nYOff=0,nXSize=8101,nYSize=317 -> 9000x370)

However, according to valgrind there was no buffer overwrites occuring. Can you give me more information on how to trigger this error? Does it require a situation nLineSpace is unusual? I'm guessing that it does.

comment:3 by Even Rouault, 14 years ago

I could reproduce the problem with an unusual size of buffer:

#include <gdal.h>

int main(int argc, char* argv[])
  GDALDatasetH hDS = GDALOpen(argv[1], GA_ReadOnly);
  int nBufXSize = 2;
  int nBufYSize = 4;
  int nPixelSpace = 2;
  int nLineSpace = nPixelSpace * nBufXSize;
  char* buf = (char*)malloc((nBufYSize-1)*nLineSpace+(nBufXSize-1)*nPixelSpace+1);
  GDALRasterIO( GDALGetRasterBand(hDS, 1), GF_Read, 0, 0, 1, 2, buf, nBufXSize, nBufYSize, GDT_Byte, nPixelSpace, nLineSpace);
  return 0;

In the case, the suggested fix doesn't work.

Fix to follow.

comment:4 by Even Rouault, 14 years ago

Milestone: 1.6.1
Resolution: fixed
Status: assignedclosed

Fixed in trunk (r16724) and branches/1.6 (r16725)

Note: See TracTickets for help on using tickets.