Skip to content

geotiff: validate VRT SrcRect dimensions and offsets (#1784)#1788

Merged
brendancol merged 1 commit into
mainfrom
issue-1784
May 13, 2026
Merged

geotiff: validate VRT SrcRect dimensions and offsets (#1784)#1788
brendancol merged 1 commit into
mainfrom
issue-1784

Conversation

@brendancol
Copy link
Copy Markdown
Contributor

@brendancol brendancol commented May 13, 2026

Closes #1784.

Summary

  • read_vrt now rejects negative <SrcRect> xSize, ySize, xOff, and yOff values up front, with a ValueError that names the offending field and value.
  • The DstRect validation added for geotiff: VRT SimpleSource DstRect xSize/ySize allows unbounded intermediate allocation in _resample_nearest #1737 only covered half of the SimpleSource rectangle pair. A malformed <SrcRect xSize="-100"/> reached read_to_array as a bad window, raised ValueError for the out-of-range window, and was then swallowed by the lenient source-read try/except meant to handle missing or unreadable files. Net effect: malformed XML became a single warning plus a zero-filled hole in lenient mode, and surfaced as the swallowed error in strict mode.
  • The new check sits before the overlap math and before the source-read try, so it raises in both lenient and strict modes.
  • Upper-bound validation of SrcRect against the source raster extent requires reading the source header and is out of scope here; this PR addresses negatives only.

Test plan

  • New tests in xrspatial/geotiff/tests/test_geotiff_vrt_srcrect_validation_1784.py cover negative xSize, ySize, xOff, yOff, error message content, and strict-mode parity.
  • Regression coverage: a valid SrcRect with a missing source file still hits the lenient warning path; a valid SrcRect with a real source still reads normally.
  • pytest xrspatial/ -k vrt passes 294 tests; the one failure (test_size_param_validation_gpu_vrt_1776.py::test_tile_size_positive_works) is a pre-existing failure on main from the geotiff: require tile_size to be a multiple of 16 (#1767) #1781 tile_size multiple-of-16 enforcement, unrelated to this change.

@brendancol
geotiff: validate VRT SrcRect dimensions and offsets (#1784)
bb3ecbc 
The DstRect validation added for #1737 covered only one half of the
SimpleSource rectangle pair. A malformed `<SrcRect xSize="-100"/>` (or
negative offset) reached `read_to_array` as a bad window, raised
`ValueError` for the out-of-range window, and was then swallowed by the
lenient source-read try/except meant to handle missing or unreadable
source files. Result: malformed XML produced a single warning plus a
zero-filled hole, and strict mode surfaced the swallowed error inside
the try rather than at the malformed-XML site.

Reject `sr.x_size < 0`, `sr.y_size < 0`, `sr.x_off < 0`, and
`sr.y_off < 0` up front, before the overlap math and before the
source-read try, so the malformed VRT always reaches the caller. Error
messages name the offending field and value, matching the existing
DstRect error.

Upper-bound validation against the source raster extent requires
reading the source header and is left for a future change; this commit
addresses the negatives only.
@github-actions github-actions Bot added the performance PR touches performance-sensitive code label May 13, 2026
@brendancol brendancol requested a review from Copilot May 13, 2026 13:36
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens read_vrt input validation for GDAL VRT SimpleSource elements by rejecting negative SrcRect sizes and offsets up front, preventing malformed VRT XML from being misclassified as a missing/unreadable source and silently zero-filled in lenient mode.

Changes:

  • Add early SrcRect validation in xrspatial/geotiff/_vrt.py for negative xSize, ySize, xOff, and yOff, raising ValueError with the offending field values.
  • Add a focused regression test suite covering negative SrcRect sizes/offsets, error message contents, strict-mode parity, and ensuring the missing-source lenient warning path still works for valid SrcRect.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
xrspatial/geotiff/_vrt.py Rejects negative SrcRect dimensions/offsets before overlap math and before the lenient source-read fallback.
xrspatial/geotiff/tests/test_geotiff_vrt_srcrect_validation_1784.py Adds regression tests ensuring malformed SrcRect raises consistently (lenient + strict) while preserving valid missing-source fallback behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@brendancol brendancol merged commit 1d4682b into main May 13, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

performance PR touches performance-sensitive code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

geotiff: malformed VRT SrcRect is swallowed by the lenient source-read fallback

2 participants

@brendancol