Opened 7 years ago

Closed 7 years ago

#5464 closed defect (fixed)

Write-after-end-of-buffer in openfilegdb table

Reported by: Even Rouault Owned by: Even Rouault
Priority: normal Milestone: 1.11.1
Component: OGR_SF Version: 1.11.0
Severity: normal Keywords: openfilegdb

Description (last modified by Even Rouault)

There are situations where a few bytes can be written after then end of a buffer. For example with the attached dataset.

$ valgrind ogrinfo /vsizip/ -al
==23995== Memcheck, a memory error detector
==23995== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23995== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==23995== Command: ogrinfo /vsizip/ -al
Had to open data source read-only.
INFO: Open of `/vsizip/'
      using driver `OpenFileGDB' successful.

Layer name: GDB_SpatialRefs
Geometry: Unknown (any)
Feature Count: 2
Layer SRS WKT:
FID Column = ID
SRTEXT: String (0.0)
FalseX: Real (0.0)
FalseY: Real (0.0)
XYUnits: Real (0.0)
FalseZ: Real (0.0)
ZUnits: Real (0.0)
FalseM: Real (0.0)
MUnits: Real (0.0)
XYTolerance: Real (0.0)
ZTolerance: Real (0.0)
MTolerance: Real (0.0)
  SRTEXT (String) = GEOGCS["GCS_WGS_1984",DATUM["D_WGS_1984",SPHEROID["WGS_1984",6378137.0,298.257223563]],PRIMEM["Greenwich",0.0],UNIT["Degree",0.0174532925199433]]
  FalseX (Real) = -180
  FalseY (Real) = -90
  XYUnits (Real) = 1000000
  FalseZ (Real) = (null)
  ZUnits (Real) = (null)
  FalseM (Real) = (null)
  MUnits (Real) = (null)
  XYTolerance (Real) = 2e-06
  ZTolerance (Real) = (null)
  MTolerance (Real) = (null)

==23995== Invalid write of size 1
==23995==    at 0x5A9D483: OpenFileGDB::FileGDBTable::SelectRow(int) (filegdbtable.cpp:1082)
==23995==    by 0x5D09FBD: OGROpenFileGDBLayer::GetNextFeature() (ogropenfilegdblayer.cpp:1249)
==23995==    by 0x40434D: ReportOnLayer(OGRLayer*, char const*, char const*, OGRGeometry*) (ogrinfo.cpp:557)
==23995==    by 0x403929: main (ogrinfo.cpp:334)
==23995==  Address 0x17785ab2 is 0 bytes after a block of size 242 alloc'd
==23995==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==23995==    by 0x5A05BB1: VSIMalloc (cpl_vsisimple.cpp:505)
==23995==    by 0x5A9BD7C: OpenFileGDB::FileGDBTable::Open(char const*) (filegdbtable.cpp:670)
==23995==    by 0x5D06F89: OGROpenFileGDBLayer::BuildLayerDefinition() (ogropenfilegdblayer.cpp:255)
==23995==    by 0x5D07723: OGROpenFileGDBLayer::GetGeomType() (ogropenfilegdblayer.cpp:414)
==23995==    by 0x403D89: ReportOnLayer(OGRLayer*, char const*, char const*, OGRGeometry*) (ogrinfo.cpp:460)
==23995==    by 0x403929: main (ogrinfo.cpp:334)
  SRTEXT (String) = GEOGCS["GCS_Australian_Antarctic_1998",DATUM["D_Australian_Antarctic_1998",SPHEROID["GRS_1980",6378137.0,298.257222101]],PRIMEM["Greenwich",0.0],UNIT["Degree",0.0174532925199433]]
  FalseX (Real) = -400
  FalseY (Real) = -400
  XYUnits (Real) = 1000000000
  FalseZ (Real) = -100000
  ZUnits (Real) = 10000
  FalseM (Real) = (null)
  MUnits (Real) = (null)
  XYTolerance (Real) = 8.983153e-09
  ZTolerance (Real) = 0.001
  MTolerance (Real) = (null)

Attachments (1) (19.2 KB) - added by Even Rouault 7 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 Changed 7 years ago by Even Rouault

Description: modified (diff)

Changed 7 years ago by Even Rouault

Attachment: added

comment:2 Changed 7 years ago by Even Rouault

Resolution: fixed
Status: newclosed

trunk r27302, branches/1.11 r27303 "OpenFileGDB: fix occasionnal write-after-end-of-buffer (#5464)"

Note: See TracTickets for help on using tickets.