AIKIDO-2026-10537

TL;DR

The native GeoTIFF/COG reader in open_geotiff / read_to_array and the VRT parser can act on untrusted file content: large declared dimensions and strip/tile paths can drive multi-gigabyte numpy / cupy allocations, a VRT can reference SourceFilename with .. that leaves the VRT directory before source paths are canonicalized with os.path.realpath(), and tiled layouts that do not match TileOffsets can desynchronize decoders. The vector rasterize() path, reproject output grid construction, and other raster hot paths (including some GPU predictors) previously sized buffers or windows without the same hard pixel caps, tile checks, and stride alignment that the release adds, so a crafted or pathological input can cause denial of service, directory escape when reading VRT-sourced rasters, or out-of-bounds or inconsistent memory access. The patch enforces max_pixels-style limits, path canonicalization, header/tile validation, and related bounds before allocation and decode.