Opened 9 years ago
Closed 9 years ago
#5734 closed defect (fixed)
GDAL seg faults reading large vrt images
| Reported by: | patnichols | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.11.2 |
| Component: | GDAL_Raster | Version: | svn-trunk |
| Severity: | normal | Keywords: | integer overflow, vrt |
| Cc: |
Description
I have found a integer overflow in frmts/vrt/vrtsources.cpp on approximately line 1676 (in gdal.1.11 svn repo source file).
return RasterIOInternal(nReqXOff, nReqYOff, nReqXSize, nReqYSize,
((GByte *)pData)
+ nPixelSpace * nOutXOff + nLineSpace * nOutYOff,
nOutXSize, nOutYSize, eBufType, nPixelSpace, nLineSpace );
I think we need a type cast to size_t here to prevent overflow. For example:
return RasterIOInternal(nReqXOff, nReqYOff, nReqXSize, nReqYSize,
((GByte *)pData)
+ nPixelSpace * nOutXOff + (size_t)nLineSpace * nOutYOff,
nOutXSize, nOutYSize, eBufType, nPixelSpace, nLineSpace );
Thanks for patience and for fixing these bugs so fast! Pat
Note:
See TracTickets
for help on using tickets.
trunk r27956, branches/1.11 r27957 "VRT: fix integer overflow when dealing with buffer > 2GB (patch by patnichols, #5734)"