Opened 14 years ago
Closed 14 years ago
#27 closed defect (fixed)
[PATCH] Avoids out of bound array access when gt_num_keys is too big
| Reported by: | rouault | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | libgeotiff | Version: | |
| Keywords: | Cc: |
Description
With the attached file, I get the following Valgrind warning :
==20574== Invalid read of size 2 ==20574== at 0x5052B80: GTIFNewWithMethods (geo_new.c:211) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210) ==20574== Address 0xe4b07d8 is 0 bytes after a block of size 2,008 alloc'd ==20574== at 0x4C23082: realloc (vg_replace_malloc.c:429) ==20574== by 0x5052A82: GTIFNewWithMethods (geo_new.c:114) ==20574== by 0x5052E53: GTIFNew (geo_new.c:60) ==20574== by 0x505CD1C: GTiffDataset::LookForProjection() (geotiff.cpp:4437) ==20574== by 0x505D018: GTiffDataset::GetProjectionRef() (geotiff.cpp:6908) ==20574== by 0x402B9B: main (gdalinfo.c:210)
This is due to the loop in geo_new.c around line 176:
entptr = ((KeyEntry *)data) + 1;
[snip]
for (index=1; index<=count; index++,entptr++)
{
if (!ReadKey(gt, &tempData, entptr, ++keyptr))
goto failure;
/* Set up the index (start at 1, since 0=unset) */
gt->gt_keyindex[entptr->ent_key] = index;
}
So, the data array must hold at least "(count+1) * sizeof(KeyEntry)" bytes. data is allocated to have "(4+MAX_VALUES)*sizeof(pinfo_t)" bytes (lines 103 and 114), hence the test in the patch
Attachments (2)
Change History (3)
by , 14 years ago
| Attachment: | ticket_geotiff_27.tif added |
|---|
by , 14 years ago
| Attachment: | patch_geotiff_27.patch added |
|---|
comment:1 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Patch applied in trunk (r1838). I wish libgeotiff had an error reporting mechanism!