rouault
commented
1 month ago @fortinalex Thanks for the report and fix suggestion. Fixed in a more robust & straightforward way using std::vector in PR #10452
Closed fortinalex closed 3 weeks ago
rouault
commented
1 month ago @fortinalex Thanks for the report and fix suggestion. Fixed in a more robust & straightforward way using std::vector in PR #10452
What is the bug?
There is a heap corruption issue caused by an array overflow in the shapefile driver. In function Repack() of ogrshapelayer.cpp the following line (line 2864 in version 3.9.1) can write outside of the array.
panRecordsToDelete[nDeleteCount] = -1;This happens when the number of deleted items (nDeleteCount) is exactly equal to the size of the allocated array.An easy fix is to change this line (line 2819 in version 3.9.1)
if (nDeleteCount == nDeleteCountAlloc)toif (nDeleteCount == nDeleteCountAlloc - 1)Steps to reproduce the issue
Running in Debug, delete exactly 202 features from a shapefile and call the Repack function. The problem should happen also when deleting exactly 128 features but it has not been tested. In Release mode the heap corruption may not be apparent each time.
Versions and provenance
The problem was first detected in GDAL 3.7.0 and is still present in version 3.9.1. The line numbers in the bug report refer to the file contained in the 2024-06-26 gdal-3.9.1.tar.gz archive as downloaded on July 18th 2024.
Additional context
No response