Opened 16 months ago

Closed 16 months ago

Last modified 16 months ago

#6231 closed defect (fixed)

1 byte heap write overflow in NCDFTokenizeArray()

Reported by: Even Rouault Owned by: Even Rouault
Priority: normal Milestone: 1.11.4
Component: GDAL_Raster Version: unspecified
Severity: normal Keywords: netcdf
Cc:

Description

Raised by ASAN :

=================================================================
==25980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000353b5 at pc 0x7f8779b87a0f bp 0x7fff22bd1c20 sp 0x7fff22bd1c18
WRITE of size 1 at 0x6020000353b5 thread T0
    #0 0x7f8779b87a0e in NCDFTokenizeArray(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:7034
    #1 0x7f8779b3b892 in netCDFDataset::FetchStandardParallels(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:1724
    #2 0x7f8779b42311 in netCDFDataset::SetProjectionFromVar(int) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:2254
    #3 0x7f8779b6f62c in netCDFDataset::Open(GDALOpenInfo*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:4828
    #4 0x7f877a615624 in GDALOpenEx /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2749
    #5 0x7f877a613ddf in GDALOpen /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2518
    #6 0x7f878594f739 in Open(char const*, GDALAccess) extensions/gdal_wrap.cpp:5797
    #7 0x7f878594f99f in _wrap_Open extensions/gdal_wrap.cpp:24895
    #8 0x56d4a3 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56d4a3)
    #9 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
    #10 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
    #11 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
    #12 0x5747bf in PyEval_EvalCodeEx (/usr/bin/python2.7+0x5747bf)
    #13 0x56d155 in PyRun_StringFlags (/usr/bin/python2.7+0x56d155)
    #14 0x575f58 in PyRun_SimpleStringFlags (/usr/bin/python2.7+0x575f58)
    #15 0x56b52b in Py_Main (/usr/bin/python2.7+0x56b52b)
    #16 0x7f878920176c in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #17 0x41bb10  (/usr/bin/python2.7+0x41bb10)

Change History (2)

comment:1 Changed 16 months ago by Even Rouault

Milestone: 1.11.4
Resolution: fixed
Status: newclosed

trunk r31725, branches/2.0 r31726, branches/1.11 r31727 "netCDF: fix one byte heap write overflow in NCDFTokenizeArray() (#6231)"

comment:2 Changed 16 months ago by Even Rouault

Hum, actually looking closer the one byte heap write overflow was essentially trunk only due to a previous fix that removed a sizeof(char*). In previous releases the calloc allocated (wrongloy) (nLen-2) * sizeof(char*), which in practice means at least (nLen-2)*4, so enough if nLen > 2.

Note: See TracTickets for help on using tickets.