[ROOT-6240] Bug allows write-protecting ROOT files Created: 17/Apr/14  Updated: 18/Apr/14  Resolved: 17/Apr/14

Status: Closed
Project: ROOT
Component/s: I/O
Affects Version/s: 5.34/00
Fix Version/s: None

Type: Bug Priority: High
Reporter: Daniel Geerts Assignee: Philippe Canal
Resolution: Fixed Votes: 0
Labels: None


Attachments: File WriteProtectROOTFile.C    


Write-protecting ROOT files; feature or bug?

If I manually change the NBytesFree in the ROOT file header to -1, the following happens. First, in void TFile::Init(Bool_t create):

//------------Read Free segments structure if file is writable
if (fWritable) {
fFree = new TList;
if (fSeekFree > fBEGIN) {

This calls void TFile::ReadFree(), which does:

TKey *headerfree = new TKey(fSeekFree, fNbytesFree, this);

which allocates a buffer, like: new char [fNbytesFree]

The value of fNbytesFree is never checked. If I change a ROOT file-header to have -1 for fNbytesFree (because it's a signed integer), ROOT tries to allocate several terabytes of memory (in other words, it crashes hard: bad alloc). However, since this code only executes if fWritable==true, this only happens if the file gets opened in a write-able mode ("UPDATE" for example). So opening the file read-only works perfectly, but ROOT crashes when trying to open the file with writing enabled. This basically creates a write-protection on the file.

(Code to produce a "write-protected" ROOT file attached.)

Comment by Philippe Canal [ 17/Apr/14 ]


Thank you for your report. A protection was added to avoid using the -1 value.


Comment by Daniel Geerts [ 18/Apr/14 ]

Thanks for this (and all the other) fixes!

Generated at Mon Feb 17 07:28:39 CET 2020 using Jira 8.3.4#803005-sha1:1f96e09b3c60279a408a2ae47be3c745f571388b.