Skip to content

MRF: DeflateBlock(): avoid potential buffer overrun #12183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 27, 2025
Merged

MRF: DeflateBlock(): avoid potential buffer overrun #12183

merged 1 commit into from
Apr 27, 2025

Conversation

rouault
Copy link
Member

@rouault rouault commented Apr 20, 2025

Fixes Coverity 1432696

Relevant lines of Coverity analysis

827    {

CID 1432696: (#1 of 1): Out-of-bounds access (OVERRUN)
21. overrun-buffer-arg: Overrunning dynamic array filedst.buffer by passing it to a function that accesses it at byte filedst.size + 63.[show details]
828        usebuff = DeflateBlock(filedst, poMRFDS->pbsize - filedst.size,
829                               deflate_flags);

291    // If we allocated a buffer, we need to copy the data to the input buffer.
7. access_dbuff_in_call: Calling memcpy indexes array src.buffer with index src.size.
292    memcpy(src.buffer, dbuff, src.size);

CC @lucianpls
At the beginning I thought this was a false positive from Coverity Scan but reading and re-reading the code again, I believe it is right and at least theoritically we could potentially overrun src.buffer, hence the check I've added (I'm not sure Coverity will realize that this added checks prevents the overrun from happening)

@rouault
MRF: DeflateBlock(): avoid potential buffer overrun
2c09d2c 
Fixes Coverity 1432696

Relevant lines of Coverity analysis

```
827    {

CID 1432696: (#1 of 1): Out-of-bounds access (OVERRUN)
21. overrun-buffer-arg: Overrunning dynamic array filedst.buffer by passing it to a function that accesses it at byte filedst.size + 63.[show details]
828        usebuff = DeflateBlock(filedst, poMRFDS->pbsize - filedst.size,
829                               deflate_flags);

291    // If we allocated a buffer, we need to copy the data to the input buffer.
7. access_dbuff_in_call: Calling memcpy indexes array src.buffer with index src.size.
292    memcpy(src.buffer, dbuff, src.size);
```
@rouault rouault added the funded through GSP Work funded through the GDAL Sponsorship Program label Apr 20, 2025
@coveralls
Copy link
Collaborator

Coverage Status

coverage: 70.702% (-0.02%) from 70.719%
when pulling 2c09d2c on rouault:mrf_deflateblock
into 19671ee on OSGeo:master.

@rouault rouault merged commit dff389b into OSGeo:master Apr 27, 2025
48 of 49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
funded through GSP Work funded through the GDAL Sponsorship Program
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rouault @coveralls