Opened 7 years ago

Closed 7 years ago

#5713 closed defect (fixed)

Integer overflow in rasterio.cpp

Reported by: patnichols Owned by: warmerdam
Priority: normal Milestone: 1.11.2
Component: GDAL_Raster Version: 1.11.1
Severity: normal Keywords: integer overflow
Cc:

Description

For several large strips using the DG/Earthwatch .TIL format, we get segmentation faults do to integer overflow. I was able to fix the problem by redefining the offsets to be size_t. Here is the svn diff:

--- gcore/rasterio.cpp (revision 27889) +++ gcore/rasterio.cpp (working copy) @@ -235,7 +235,7 @@

size_t iBufOffset, iSrcOffset; int nXSpan;

  • iBufOffset = (size_t)iBufYOff * nLineSpace;

+ iBufOffset = ((size_t)iBufYOff) * ((size_t)nLineSpace);

nLBlockY = iSrcY / nBlockYSize; nLBlockX = nLBlockXStart; iSrcX = nXOff;

@@ -296,11 +296,11 @@

&& nPixelSpace == nBufDataSize )

{

if( eRWFlag == GF_Read )

  • memcpy( ((GByte *) pData) + iBufOffset + k * nLineSpace,
  • pabySrcBlock + iSrcOffset, nXSpanSize );

+ memcpy( ((GByte *) pData) + iBufOffset + ((size_t)k) * ((size_t)nLineSpace), + pabySrcBlock + ((size_t)iSrcOffset), nXSpanSize );

else

memcpy( pabySrcBlock + iSrcOffset,

  • ((GByte *) pData) + iBufOffset + k * nLineSpace, nXSpanSize );

+ ((GByte *) pData) + ((size_t)iBufOffset) + ((size_t)k) * ((size_t)nLineSpace), nXSpanSize );

} else {

Thanks, Pat Nichols

Change History (1)

comment:1 Changed 7 years ago by Even Rouault

Milestone: 1.11.2
Resolution: fixed
Status: newclosed

I didn't take the "iBufOffset = ((size_t)iBufYOff) * ((size_t)nLineSpace);" since I think that the cast of the first member is sufficient, but tell me if I'm wrong (although that would defeat quite many assumptions I had on how type promotion worked in C/C++ ...)

I've merged the other changes. Thanks

trunk r27903, branches/1.11 r27904 "Fix 32bit overflow in GDALRasterBand::IRasterIO() (#5713)"

Note: See TracTickets for help on using tickets.