[gdal-dev] Memory corruption in PNG driver with Microsoft Debug DLLs?

[Shaw, Jonathan-P29740]

The code below may cause a memory access violation in GDALClose() if the
source dataset is in PNG format. The PNG driver appears to be corrupting
memory by unintentionally writing into parts of GDALPamDataset (its base
class), and perhaps into other areas, too?

This is evidenced if you open a PNG dataset and then view the value of
its GetPamFlags() integer. Whether or not GDALClose() crashes, the PAM
flag is way out of range. Commenting out the NOSAVE bit setting will
apparently clear the issue crash issue, but not the PAM object
corruption. For me, the corruption is only evident if the Microsoft
Debug DLLs are used (Multi-threaded Debug DLL /MDd, or Multi-threaded
Debug /MTd).

I used FWTools 2.4.7 (GDAL 1.7.0b2) on a Windows XP 64-bit system. I
built the test app below using Visual Studio 2008 SP1 (9.0.30729.1 SP).

I tried to create a ticket in trac.osgeo.org/gdal, but it says I do not
have create ticket permission.

Thanks,
Jonathan



#include <iostream>
#include <gdal.h>
#include <gdal_priv.h> // for GDALDataset
#include <gdal_pam.h> // for GDALPamDataset

int main(int argc, char **argv)
{
    GDALAllRegister();
    GDALDataset *ds = (GDALDataset *)GDALOpen(
        "S:\\Maps\\aux_test.png", GA_ReadOnly);

    GDALPamDataset *pamDs = dynamic_cast<GDALPamDataset *>(ds);
    if (pamDs != NULL)
    {
        // with Debug DLLs, this prints number like 18666064,
        // while with release DLLs, this outputs 0.
        std::cout << "Initial flags: "
            << pamDs->GetPamFlags() << std::endl;

        int pamFlags = pamDs->GetPamFlags();
        pamFlags |= GPF_NOSAVE;

        // changing flag further corrupts PNG dataset?
        pamDs->SetPamFlags(pamFlags);
    }

    GDALClose(ds); // access violation with MSFT Debug DLLs

    GDALDestroyDriverManager();
}