Reject TIFFs whose declared tile grid exceeds TileOffsets length (#1219)#1221
Merged
brendancol merged 2 commits intomasterfrom Apr 20, 2026
Merged
Reject TIFFs whose declared tile grid exceeds TileOffsets length (#1219)#1221brendancol merged 2 commits intomasterfrom
brendancol merged 2 commits intomasterfrom
Conversation
A TIFF can declare image dimensions that imply more tiles than its TileOffsets tag supplies. The GPU _assemble_tiles_kernel reads tile_out_offsets[tile_idx] where tile_idx is computed from the output pixel position, so threads whose pixel maps past the supplied count perform out-of-bounds device reads. The CPU _read_tiles loop silently skips those tiles with `if tile_idx >= len(offsets): continue` and returns a zero-padded raster. Add validate_tile_layout(ifd) in _header.py and call it from _read_tiles, _read_cog_http, and open_geotiff_gpu. Raises ValueError with the mismatch count before any decode work runs.
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Co-authored-by: brendancol <433221+brendancol@users.noreply.github.com>
Contributor
Merge conflicts resolved in f40dd67. The only conflict was in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A TIFF can declare
ImageWidth / ImageLengthandTileWidth / TileLengththat implytiles_across * tiles_down = Ntiles while itsTileOffsetstag has fewer thanNentries. The GPU_assemble_tiles_kernelcomputestile_idx = tile_row * tiles_across + tile_colfrom the output pixel position and readstile_out_offsets[tile_idx]past the end of the device buffer. The CPU path silently skips the missing tiles (if tile_idx >= len(offsets): continuein_read_tiles), returning a zero-padded raster with no error.Fix
Fail fast in the header layer. A new
validate_tile_layout(ifd)in_header.pychecks thatlen(tile_offsets) >= tiles_across * tiles_down(timessamples_per_pixelwhen planar config is 2) and raisesValueErrorwith the mismatch. It's called from:_read_tiles(the windowed-read path)_read_cog_http(the HTTP COG path)open_geotiff_gpuingeotiff/__init__.pybefore the GPU dispatchTest plan
TestTileLayoutValidationinxrspatial/geotiff/tests/test_security.py:validate_tile_layoutraises when TileOffsets count is smaller than the declared gridvalidate_tile_layoutaccepts a well-formed tiled TIFFvalidate_tile_layoutis a no-op for stripped TIFFs_read_tilesraisesValueErrorinstead of silently zero-paddingread_to_arrayend-to-end raisesValueErroron the malformed inputThe helper
_make_short_offsets_tiffbuilds a normal tiled TIFF and rewrites the TileOffsets IFD entry to advertise a smaller count without truncating the data blob, so the resulting file passes every earlier check.Full geotiff suite: 441 passed, 4 skipped. 3 pre-existing matplotlib-deepcopy failures in
TestPalettereproduce on master.Closes #1219. Related to #1215.