Opened 7 years ago

Closed 7 years ago

#5567 closed defect (fixed)

Buffer underflow in GDAL 1.11 using /vsistdin/

Reported by: tlwest Owned by: warmerdam
Priority: normal Milestone: 1.11.1
Component: default Version: 1.11.0
Severity: normal Keywords: vsistdin
Cc:

Description

This causes a crash when GDAL 1.11 is compiled under Windows (64-bit), but I suspect it underflows unnoticably under Unix.

When using the command:

gdalsrsinfo /vsistdin/ < ...

I get a buffer underflow occurs in:

gdalsrsinfo.exe!main(int argc, char * * argv) Line 227 gdalsrsinfo.exe!FindSRS(const char * pszInput, OGRSpatialReference & oSRS) Line 383

gdal111.dll!OGRSFDriverRegistrar::Open(char const *,int,class OGRSFDriver * *) gdal111.dll!OGRTigerDriver::Open(char const *,int) gdal111.dll!OGRTigerDataSource::Open(char const *,int,char * *)

(Note, the line numbers may be slightly off due to some debugging output statements)

The code for Open in ogrtigerdatasource.cpp has the following around line 317:

if( VSI_ISREG(stat.st_mode) ) {

char szModule[128];

pszPath = CPLStrdup( CPLGetPath(pszFilename) );

strncpy( szModule, CPLGetFilename(pszFilename), sizeof(szModule)-1 );

/* Make sure the buffer is 0 terminated */

szModule[sizeof(szModule)-1] = '\0';

/* And now remove last character of filename */

szModule[strlen(szModule)-1] = '\0';

Unfortunately, when pszFilename is "/vsistdin/", CPLGetFilename(pszFilename) return an empty string, setting szModule to an empty string. This the last line sets index -1 of the string to \0. Under Windows, this causes a buffer underflow error and immediate crash.

(Note, I'm now aware that /vsistdin/ doesn't seem to work with gdalsrsinfo, but it's still a potential crash in the tiger module.)

Change History (1)

comment:1 Changed 7 years ago by Even Rouault

Milestone: 1.11.1
Resolution: fixed
Status: newclosed

trunk r27514, branches/1.11 r27515: "Fix potential buffer underflow when providing /vsistdin/ to Tiger driver (#5567)"

Note: See TracTickets for help on using tickets.