Opened 11 years ago
Closed 11 years ago
#5203 closed defect (fixed)
Integer overflows in rasterfill.cpp
| Reported by: | akhliustov | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.10.1 |
| Component: | Algorithms | Version: | unspecified |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
if( iY - panLastY[iX] <= dfMaxSearchDist )
panLastY[iX] is unsigned, so iY - panLastY[iX] is unsigned too. If iY < panLastY[iX], their "difference" is a large positive number that can be greater than dfMaxSearchDist. In that case the condition evaluates to false, which is (probably) not expected.
- http://trac.osgeo.org/gdal/browser/trunk/gdal/alg/rasterfill.cpp#L333
double dfDistSq = ((target_x-origin_x) * (target_x-origin_x)) + ((target_y-origin_y) * (target_y-origin_y));
The right-hand expression here can have overflow on small enough input (I will try to attach it ASAP).
Attachments (3)
Change History (6)
by , 11 years ago
| Attachment: | rasterfill.unsigned.patch added |
|---|
comment:1 by , 11 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | Implicit signed-to-unsigned conversions in rasterfill.cpp → Integer overflows in rasterfill.cpp |
by , 11 years ago
| Attachment: | fillnodata.in.tif added |
|---|
by , 11 years ago
| Attachment: | fillnodata.out.tif added |
|---|
comment:2 by , 11 years ago
Note:
See TracTickets
for help on using tickets.
Here is the raster (
.in.tif) with 800 rows and 1200 columns. Runninggdal_fillnodata -co COMPRESS=LZW -mask fillnodata.in.tif -md 0 fillnodata.in.tif fillnodata.out.tifproduces an output (
.out.tif) which has up to 10 rows of garbage (the topmost ones).In my program I use the function directly but the result is the same.