From da32682c3da45332f83adc833d468376b1062a5b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 25 Sep 2021 19:00:47 +0200
Subject: [PATCH] netCDFVariable::GetBlockSize(): fix heap buffer write
 overflow on 2D char variables. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39258

---
 gdal/frmts/netcdf/netcdfmultidim.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/gdal/frmts/netcdf/netcdfmultidim.cpp b/gdal/frmts/netcdf/netcdfmultidim.cpp
index 1eb1f0ecf278..45ebf6c2b49b 100644
--- a/gdal/frmts/netcdf/netcdfmultidim.cpp
+++ b/gdal/frmts/netcdf/netcdfmultidim.cpp
@@ -3077,11 +3077,14 @@ double netCDFVariable::GetOffset(bool* pbHasOffset, GDALDataType* peStorageType)
 
 std::vector<GUInt64> netCDFVariable::GetBlockSize() const
 {
-    std::vector<GUInt64> res(GetDimensionCount());
+    const auto nDimCount = GetDimensionCount();
+    std::vector<GUInt64> res(nDimCount);
     if( res.empty() )
         return res;
     int nStorageType = 0;
-    std::vector<size_t> anTemp(GetDimensionCount());
+    // We add 1 to the dimension count, for 2D char variables that we
+    // expose as a 1D variable.
+    std::vector<size_t> anTemp(1 + nDimCount);
     nc_inq_var_chunking(m_gid, m_varid, &nStorageType, &anTemp[0]);
     if( nStorageType == NC_CHUNKED )
     {