buffer overflow for long dataset name
fhs opened this issue · comments
The following program crashes. This bug existed in pyhdf before this fork.
from pyhdf.SD import SD, SDC
d = SD('test.hdf', SDC.WRITE|SDC.CREATE|SDC.TRUNC)
v1 = d.create(95*'a', SDC.INT32, 3)
v1.set([1,2,3])
v1.endaccess()
d.end()
I've tracked it down to the buffer sds_name in hdfext.i:
%cstring_bounded_output(char *sds_name, 64);
extern int32 SDgetinfo(int32 sds_id, char *sds_name, int32 *OUTPUT, void *buf,
int32 *OUTPUT, int32 *OUTPUT);
%clear char *sds_name;
HDF documentation agrees that the buffer size should be 64:
http://www.hdfgroup.org/training/HDFtraining/RefManual/RM_Section_II_SD.fm15.html
However, the HDF source code seems to copy the entire dataset name to sds_name (see mfhdf/libsrc/mfsd.c).
Hi Fazlul,
You also have to modify the underlying C program (hdfext_wrap.c) in the function SDgetinfo:
Line 5467:
temp2[64+1]
and Line 5494:
arg2[64] = 0
I would suggest against hard coding these values.
hdfext_wrap.c is auto-generated from hdfext.i when you run:
swig -python hdfext.i
You might need to install swig (http://www.swig.org/)
Hi Fazlul,
Thanks, I did not realize this. My experience with swig is null.
Thanks,
Eric
On 03/27/2014 08:52 AM, Fazlul Shahriar wrote:
hdfext_wrap.c is auto-generated from hdfext.i when you run:
|swig -python hdfext.i
|You might need to install swig (http://www.swig.org/)
—
Reply to this email directly or view it on GitHub
#1 (comment).
Hi Fazlul,
I dug into the issue a little deeper. Within the HDF 4 libraries the 64 characters variable name limit has been removed since version 4.2r2. I allowed the swig function %cstring_bounded_output to size sds_name to 256 on line 493 of hdfext.i. Using the latest libraries everything seemed to work fine.