#6231 closed defect (fixed)
1 byte heap write overflow in NCDFTokenizeArray()
| Reported by: | Even Rouault | Owned by: | Even Rouault |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.11.4 |
| Component: | GDAL_Raster | Version: | unspecified |
| Severity: | normal | Keywords: | netcdf |
| Cc: |
Description
Raised by ASAN :
=================================================================
==25980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000353b5 at pc 0x7f8779b87a0f bp 0x7fff22bd1c20 sp 0x7fff22bd1c18
WRITE of size 1 at 0x6020000353b5 thread T0
#0 0x7f8779b87a0e in NCDFTokenizeArray(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:7034
#1 0x7f8779b3b892 in netCDFDataset::FetchStandardParallels(char const*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:1724
#2 0x7f8779b42311 in netCDFDataset::SetProjectionFromVar(int) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:2254
#3 0x7f8779b6f62c in netCDFDataset::Open(GDALOpenInfo*) /home/travis/build/rouault/gdal_coverage/gdal/frmts/netcdf/netcdfdataset.cpp:4828
#4 0x7f877a615624 in GDALOpenEx /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2749
#5 0x7f877a613ddf in GDALOpen /home/travis/build/rouault/gdal_coverage/gdal/gcore/gdaldataset.cpp:2518
#6 0x7f878594f739 in Open(char const*, GDALAccess) extensions/gdal_wrap.cpp:5797
#7 0x7f878594f99f in _wrap_Open extensions/gdal_wrap.cpp:24895
#8 0x56d4a3 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56d4a3)
#9 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
#10 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
#11 0x56dc91 in PyEval_EvalFrameEx (/usr/bin/python2.7+0x56dc91)
#12 0x5747bf in PyEval_EvalCodeEx (/usr/bin/python2.7+0x5747bf)
#13 0x56d155 in PyRun_StringFlags (/usr/bin/python2.7+0x56d155)
#14 0x575f58 in PyRun_SimpleStringFlags (/usr/bin/python2.7+0x575f58)
#15 0x56b52b in Py_Main (/usr/bin/python2.7+0x56b52b)
#16 0x7f878920176c in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#17 0x41bb10 (/usr/bin/python2.7+0x41bb10)
Change History (2)
comment:1 by , 8 years ago
| Milestone: | → 1.11.4 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
comment:2 by , 8 years ago
Hum, actually looking closer the one byte heap write overflow was essentially trunk only due to a previous fix that removed a sizeof(char*). In previous releases the calloc allocated (wrongloy) (nLen-2) * sizeof(char*), which in practice means at least (nLen-2)*4, so enough if nLen > 2.
Note:
See TracTickets
for help on using tickets.
trunk r31725, branches/2.0 r31726, branches/1.11 r31727 "netCDF: fix one byte heap write overflow in NCDFTokenizeArray() (#6231)"