[ROOT-6240] Bug allows write-protecting ROOT files Created: 17/Apr/14  Updated: 18/Apr/14  Resolved: 17/Apr/14

Status: Closed
Project: ROOT
Component/s: I/O
Affects Version/s: 5.34/00
Fix Version/s: None

Type: Bug Priority: High
Reporter: Daniel Geerts Assignee: Philippe Canal
Resolution: Fixed Votes: 0
Labels: None
Environment:

all


Attachments: File WriteProtectROOTFile.C    
Development:

 Description   

Write-protecting ROOT files; feature or bug?

If I manually change the NBytesFree in the ROOT file header to -1, the following happens. First, in void TFile::Init(Bool_t create):

//------------Read Free segments structure if file is writable
if (fWritable) {
fFree = new TList;
if (fSeekFree > fBEGIN) {
ReadFree();

This calls void TFile::ReadFree(), which does:

TKey *headerfree = new TKey(fSeekFree, fNbytesFree, this);

which allocates a buffer, like: new char [fNbytesFree]

The value of fNbytesFree is never checked. If I change a ROOT file-header to have -1 for fNbytesFree (because it's a signed integer), ROOT tries to allocate several terabytes of memory (in other words, it crashes hard: bad alloc). However, since this code only executes if fWritable==true, this only happens if the file gets opened in a write-able mode ("UPDATE" for example). So opening the file read-only works perfectly, but ROOT crashes when trying to open the file with writing enabled. This basically creates a write-protection on the file.

(Code to produce a "write-protected" ROOT file attached.)



 Comments   
Comment by Philippe Canal [ 17/Apr/14 ]

Hi,

Thank you for your report. A protection was added to avoid using the -1 value.

Cheers,
Philippe.

Comment by Daniel Geerts [ 18/Apr/14 ]

Thanks for this (and all the other) fixes!

Generated at Wed Sep 18 15:28:29 CEST 2019 using Jira 7.13.1#713001-sha1:5e06076c2d215a6f699b7e5c90ab2fae7ba5a1ce.