Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#6921 closed defect (fixed)

heap-buffer-overflow (READ of size 16) in ExtraField()

Reported by: geeknik Owned by: warmerdam
Priority: normal Milestone: 2.2.1
Component: OGR_SF Version: 2.2.0
Severity: critical Keywords:
Cc:

Description

gdal-2.2.0, compiled with afl-clang-fast on Debian 8 x64.

./ogr2ogr -f GML /dev/null test000

==15963==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005199 at pc 0x000000615b40 bp 0x7ffff2ce52b0 sp 0x7ffff2ce4a70
READ of size 16 at 0x602000005199 thread T0
    #0 0x615b3f in __asan_memcpy (/root/gdal-2.2.0/apps/ogr2ogr+0x615b3f)
    #1 0x177bd25 in ExtractField(char*, char const*, int, int) /root/gdal-2.2.0/ogr/ogrsf_frmts/segukooa/ogrsegukooalayer.cpp:43:5
    #2 0x177bd25 in OGRSEGP1Layer::GetNextRawFeature() /root/gdal-2.2.0/ogr/ogrsf_frmts/segukooa/ogrsegukooalayer.cpp:611
    #3 0x1776a3b in OGRSEGUKOOABaseLayer::GetNextFeature() /root/gdal-2.2.0/ogr/ogrsf_frmts/segukooa/ogrsegukooalayer.cpp:55:33
    #4 0x68d401 in LayerTranslator::Translate(OGRFeature*, TargetLayerInfo*, long long, long long*, long long&, int (*)(double, char const*, void*), void*, GDALVectorTranslateOptions*) /root/gdal-2.2.0/apps/ogr2ogr_lib.cpp:4245:25
    #5 0x66fdf3 in GDALVectorTranslate /root/gdal-2.2.0/apps/ogr2ogr_lib.cpp:2973:18
    #6 0x64ba92 in main /root/gdal-2.2.0/apps/ogr2ogr_bin.cpp:295:14
    #7 0x7f015a780b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287
    #8 0x64a71c in _start (/root/gdal-2.2.0/apps/ogr2ogr+0x64a71c)

0x602000005199 is located 0 bytes to the right of 9-byte region [0x602000005190,0x602000005199)
allocated by thread T0 here:
    #0 0x62d0ab in __interceptor_malloc (/root/gdal-2.2.0/apps/ogr2ogr+0x62d0ab)
    #1 0x831b3e in CPLMalloc /root/gdal-2.2.0/port/cpl_conv.cpp:175:21
    #2 0x1776a3b in OGRSEGUKOOABaseLayer::GetNextFeature() /root/gdal-2.2.0/ogr/ogrsf_frmts/segukooa/ogrsegukooalayer.cpp:55:33

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy

Attachments (1)

test000.gz (44 bytes) - added by geeknik 2 months ago.

Download all attachments as: .zip

Change History (3)

Changed 2 months ago by geeknik

Attachment: test000.gz added

comment:1 Changed 2 months ago by Even Rouault

Resolution: fixed
Status: newclosed

In 39045:

SEGUKOOA: prevent read beyond end of buffer. Backport of trunk r38629 (fixes #6921)

comment:2 Changed 2 months ago by Even Rouault

Milestone: 2.2.1

Was already fixed in trunk by r38269. Just backported to 2.2 per r39045

Note: See TracTickets for help on using tickets.