#6266 closed defect (fixed)
Buffer overflow in PamHistogramToXMLTree()
| Reported by: | Ari Jolma | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | 2.0.2 |
| Component: | GDAL_Raster | Version: | unspecified |
| Severity: | normal | Keywords: | long long |
| Cc: |
Description
In this fct there is a sprintf to a buffer (gdalpamrasterband.cpp:1107). The buffer is allocated with size 12*n + 10, n being the number of GUIntBig values to be written.
However, GUIntBig may be as big as 18446744073709551615 (http://stackoverflow.com/questions/589575/what-does-the-c-standard-state-the-size-of-int-long-type-to-be) which is 20 characters long. 12 is thus too small and it may and will cause a heap corruption error. This error appears sometimes in the Perl bindings test 03.t, which sets very large numbers into the deafult histogram. For example in http://www.cpantesters.org/cpan/report/503dafc2-a357-11e5-a04d-1fea233d5411
Change History (4)
comment:3 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This seems to have been fixed last week(!) in the trunk r32078. :) Perhaps backporting is not needed and I can just remove the test from the pre-2.1 versions.
comment:4 by , 8 years ago
| Milestone: | → 2.0.2 |
|---|
Similar bugs may be where sprintf and long long's are used. I did not check.