Summary
xrspatial/reproject/_grid.py _compute_output_grid() (lines 199-202) computes output dimensions as:
width = max(1, int(round((right - left) / res_x)))
height = max(1, int(round((top - bottom) / res_y)))
When a user passes a very small resolution parameter (e.g. resolution=1e-8 on a continent-wide extent), this produces grid dimensions in the billions. The downstream code then attempts to allocate arrays of that size (np.full(out_shape, ...), np.empty(out_shape, ...), cp.full(out_shape, ...)), causing a MemoryError or GPU OOM.
While Python will raise MemoryError rather than silently corrupting memory, this is still a denial-of-service vector -- a careless or adversarial resolution parameter can crash the process.
Impact
Any call to reproject() or merge() with a tiny resolution triggers uncontrolled memory allocation. The _OOM_THRESHOLD check on line 584 only triggers for large source datasets, not for large output grids created by small resolution values.
Severity: HIGH
Category: Unbounded Allocation / Denial of Service (Cat 1)
Fix
Add a configurable _MAX_OUTPUT_PIXELS guard in _compute_output_grid() that caps the total output grid size (e.g. 1 billion pixels by default). Raise a ValueError with a clear message if the computed dimensions exceed the limit.
Summary
xrspatial/reproject/_grid.py_compute_output_grid()(lines 199-202) computes output dimensions as:When a user passes a very small
resolutionparameter (e.g.resolution=1e-8on a continent-wide extent), this produces grid dimensions in the billions. The downstream code then attempts to allocate arrays of that size (np.full(out_shape, ...),np.empty(out_shape, ...),cp.full(out_shape, ...)), causing aMemoryErroror GPU OOM.While Python will raise
MemoryErrorrather than silently corrupting memory, this is still a denial-of-service vector -- a careless or adversarialresolutionparameter can crash the process.Impact
Any call to
reproject()ormerge()with a tinyresolutiontriggers uncontrolled memory allocation. The_OOM_THRESHOLDcheck on line 584 only triggers for large source datasets, not for large output grids created by small resolution values.Severity: HIGH
Category: Unbounded Allocation / Denial of Service (Cat 1)
Fix
Add a configurable
_MAX_OUTPUT_PIXELSguard in_compute_output_grid()that caps the total output grid size (e.g. 1 billion pixels by default). Raise aValueErrorwith a clear message if the computed dimensions exceed the limit.