#6231 closed defect (fixed)
1 byte heap write overflow in NCDFTokenizeArray()
Reported by: | Even Rouault | Owned by: | Even Rouault |
---|---|---|---|
Priority: | normal | Milestone: | 1.11.4 |
Component: | GDAL_Raster | Version: | unspecified |
Severity: | normal | Keywords: | netcdf |
Cc: |
Description
Raised by ASAN :
================================================================= ==25980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000353b5 at pc 0x7f8779b87a0f bp 0x7fff22bd1c20 sp 0x7fff22bd1c18 WRITE of size 1 at 0x6020000353b5 thread T0 #0 0x7f8779b87a0e in NCDFTokenizeArray(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:7034 #1 0x7f8779b3b892 in netCDFDataset::FetchStandardParallels(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:1724 #2 0x7f8779b42311 in netCDFDataset::SetProjectionFromVar(int) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:2254 #3 0x7f8779b6f62c in netCDFDataset::Open(GDALOpenInfo*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:4828 #4 0x7f877a615624 in GDALOpenEx /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2749 #5 0x7f877a613ddf in GDALOpen /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2518 #6 0x7f878594f739 in Open(char const*, GDALAccess) extensions/gdal_wrap.cpp:5797 #7 0x7f878594f99f in _wrap_Open extensions/gdal_wrap.cpp:24895 #8 0x56d4a3 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56d4a3) #9 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91) #10 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91) #11 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91) #12 0x5747bf in PyEval_EvalCodeEx (/usr/bin/python2.7+0x5747bf) #13 0x56d155 in PyRun_StringFlags (/usr/bin/python2.7+0x56d155) #14 0x575f58 in PyRun_SimpleStringFlags (/usr/bin/python2.7+0x575f58) #15 0x56b52b in Py_Main (/usr/bin/python2.7+0x56b52b) #16 0x7f878920176c in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) #17 0x41bb10 (/usr/bin/python2.7+0x41bb10)
Change History (2)
comment:1 by , 8 years ago
Milestone: | → 1.11.4 |
---|---|
Resolution: | → fixed |
Status: | new → closed |
comment:2 by , 8 years ago
Hum, actually looking closer the one byte heap write overflow was essentially trunk only due to a previous fix that removed a sizeof(char*). In previous releases the calloc allocated (wrongloy) (nLen-2) * sizeof(char*), which in practice means at least (nLen-2)*4, so enough if nLen > 2.
Note:
See TracTickets
for help on using tickets.
trunk r31725, branches/2.0 r31726, branches/1.11 r31727 "netCDF: fix one byte heap write overflow in NCDFTokenizeArray() (#6231)"