Opened 10 years ago
Closed 10 years ago
#5713 closed defect (fixed)
Integer overflow in rasterio.cpp
| Reported by: | patnichols | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.11.2 |
| Component: | GDAL_Raster | Version: | 1.11.1 |
| Severity: | normal | Keywords: | integer overflow |
| Cc: |
Description
For several large strips using the DG/Earthwatch .TIL format, we get segmentation faults do to integer overflow. I was able to fix the problem by redefining the offsets to be size_t. Here is the svn diff:
--- gcore/rasterio.cpp (revision 27889) +++ gcore/rasterio.cpp (working copy) @@ -235,7 +235,7 @@
size_t iBufOffset, iSrcOffset; int nXSpan;
- iBufOffset = (size_t)iBufYOff * nLineSpace;
+ iBufOffset = ((size_t)iBufYOff) * ((size_t)nLineSpace);
nLBlockY = iSrcY / nBlockYSize; nLBlockX = nLBlockXStart; iSrcX = nXOff;
@@ -296,11 +296,11 @@
&& nPixelSpace == nBufDataSize )
{
if( eRWFlag == GF_Read )
- memcpy( ((GByte *) pData) + iBufOffset + k * nLineSpace,
- pabySrcBlock + iSrcOffset, nXSpanSize );
+ memcpy( ((GByte *) pData) + iBufOffset + ((size_t)k) * ((size_t)nLineSpace), + pabySrcBlock + ((size_t)iSrcOffset), nXSpanSize );
else
memcpy( pabySrcBlock + iSrcOffset,
- ((GByte *) pData) + iBufOffset + k * nLineSpace, nXSpanSize );
+ ((GByte *) pData) + ((size_t)iBufOffset) + ((size_t)k) * ((size_t)nLineSpace), nXSpanSize );
} else {
Thanks, Pat Nichols
Change History (1)
comment:1 by , 10 years ago
| Milestone: | → 1.11.2 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
I didn't take the "iBufOffset = ((size_t)iBufYOff) * ((size_t)nLineSpace);" since I think that the cast of the first member is sufficient, but tell me if I'm wrong (although that would defeat quite many assumptions I had on how type promotion worked in C/C++ ...)
I've merged the other changes. Thanks
trunk r27903, branches/1.11 r27904 "Fix 32bit overflow in GDALRasterBand::IRasterIO() (#5713)"