Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6266 closed defect (fixed)

Buffer overflow in PamHistogramToXMLTree()

Reported by: Ari Jolma Owned by: warmerdam
Priority: normal Milestone: 2.0.2
Component: GDAL_Raster Version: unspecified
Severity: normal Keywords: long long


In this fct there is a sprintf to a buffer (gdalpamrasterband.cpp:1107). The buffer is allocated with size 12*n + 10, n being the number of GUIntBig values to be written.

However, GUIntBig may be as big as 18446744073709551615 ( which is 20 characters long. 12 is thus too small and it may and will cause a heap corruption error. This error appears sometimes in the Perl bindings test 03.t, which sets very large numbers into the deafult histogram. For example in

Change History (4)

comment:1 by Ari Jolma, 8 years ago

Similar bugs may be where sprintf and long long's are used. I did not check.

Last edited 8 years ago by Ari Jolma (previous) (diff)

comment:2 by Ari Jolma, 8 years ago

I did not find other places where the buffer is clearly too small.

comment:3 by Ari Jolma, 8 years ago

Resolution: fixed
Status: newclosed

This seems to have been fixed last week(!) in the trunk r32078. :) Perhaps backporting is not needed and I can just remove the test from the pre-2.1 versions.

comment:4 by Even Rouault, 8 years ago

Milestone: 2.0.2

branches/2.0 r32191 "Fix potential buffer overflow in PamHistogramToXMLTree() (#6266)" Older branches aren't affected.

Note: See TracTickets for help on using tickets.