geotiff: malformed VRT SrcRect is swallowed by the lenient source-read fallback

[brendancol]

Describe the bug

read_vrt() in xrspatial/geotiff/_vrt.py validates DstRect for negative sizes at lines 637-648 (issue #1737), but never validates SrcRect. A SimpleSource with <SrcRect xOff="0" yOff="0" xSize="-100" ySize="-100"/> reaches the source-read path and produces a ValueError inside read_to_array() when the window goes negative.

That ValueError is then caught by the broad source-read fallback at lines 738-746:

try:
    src_arr, _ = read_to_array(src.filename, window=(read_r0, read_c0, read_r1, read_c1), band=src.band - 1)
except (OSError, ValueError, struct.error,) + _CODEC_DECODE_EXCEPTIONS as e:
    ...  # warns and zero-fills under default (non-strict) mode

The fallback's purpose is to keep going when a referenced tile is missing or unreadable. Malformed XML is a different failure -- the file is present, the rectangle is just nonsense -- but the lenient path can't tell the two apart and treats both as "skip and warn." The result is a hole in the mosaic plus a confusing warning that mentions a window the caller never asked for.

Negative SrcRect offsets and offsets that fall outside the source raster have the same problem.

Expected behavior

Reject negative SrcRect sizes and negative offsets up-front, mirroring the DstRect check at line 643. The malformed-XML failure should always reach the caller, regardless of strict mode, with a typed ValueError that names the bad field.

Categories

• Cat 3 (input validation): negative SrcRect dimensions not validated
• Cat 4 (error handling): malformed XML masquerades as a missing-tile warning