[ROOT-6240] Bug allows write-protecting ROOT files Created: 17/Apr/14 Updated: 18/Apr/14 Resolved: 17/Apr/14
|Reporter:||Daniel Geerts||Assignee:||Philippe Canal|
Write-protecting ROOT files; feature or bug?
If I manually change the NBytesFree in the ROOT file header to -1, the following happens. First, in void TFile::Init(Bool_t create):
This calls void TFile::ReadFree(), which does:
TKey *headerfree = new TKey(fSeekFree, fNbytesFree, this);
which allocates a buffer, like: new char [fNbytesFree]
The value of fNbytesFree is never checked. If I change a ROOT file-header to have -1 for fNbytesFree (because it's a signed integer), ROOT tries to allocate several terabytes of memory (in other words, it crashes hard: bad alloc). However, since this code only executes if fWritable==true, this only happens if the file gets opened in a write-able mode ("UPDATE" for example). So opening the file read-only works perfectly, but ROOT crashes when trying to open the file with writing enabled. This basically creates a write-protection on the file.
(Code to produce a "write-protected" ROOT file attached.)
|Comment by Philippe Canal [ 17/Apr/14 ]|
Thank you for your report. A protection was added to avoid using the -1 value.
|Comment by Daniel Geerts [ 18/Apr/14 ]|
Thanks for this (and all the other) fixes!