Opened 2 years ago

Closed 2 years ago

#6923 closed defect (fixed)

heap-buffer-overflow (READ of size 1) in NTFFileReader::Open()

Reported by: geeknik Owned by: warmerdam
Priority: normal Milestone: 2.2.1
Component: OGR_SF Version: 2.2.0
Severity: critical Keywords:
Cc:

Description

gdal-2.2.0, compiled with afl-clang-fast on Debian 8 x64.

./ogr2ogr -f GML /dev/null test001

==13039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005fbf at pc 0x0000028f33f4 bp 0x7ffc49d5c090 sp 0x7ffc49d5c088
READ of size 1 at 0x602000005fbf thread T0
    #0 0x28f33f3 in NTFFileReader::Open(char const*) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ntffilereader.cpp:292:13
    #1 0x26250cc in OGRNTFDataSource::Open(char const*, int, char**) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ogrntfdatasource.cpp:302:14
    #2 0x172a7ff in OGRNTFDriverOpen(GDALOpenInfo*) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ogrntfdriver.cpp:69:10
    #3 0x6c1b79 in GDALOpenEx /root/gdal-2.2.0/gcore/gdaldataset.cpp:2817:20
    #4 0x64b2e6 in main /root/gdal-2.2.0/apps/ogr2ogr_bin.cpp:233:15
    #5 0x7f80be0f8b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287
    #6 0x64a71c in _start (/root/gdal-2.2.0/apps/ogr2ogr+0x64a71c)

0x602000005fbf is located 9 bytes to the right of 6-byte region [0x602000005fb0,0x602000005fb6)
allocated by thread T0 here:
    #0 0x62d0ab in __interceptor_malloc (/root/gdal-2.2.0/apps/ogr2ogr+0x62d0ab)
    #1 0x91f88a in VSIMalloc /root/gdal-2.2.0/port/cpl_vsisimple.cpp:551:12
    #2 0x91f88a in VSIMallocVerbose /root/gdal-2.2.0/port/cpl_vsisimple.cpp:1128
    #3 0x28f1612 in NTFFileReader::Open(char const*) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ntffilereader.cpp:274:10
    #4 0x26250cc in OGRNTFDataSource::Open(char const*, int, char**) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ogrntfdatasource.cpp:302:14
    #5 0x172a7ff in OGRNTFDriverOpen(GDALOpenInfo*) /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ogrntfdriver.cpp:69:10
    #6 0x64b2e6 in main /root/gdal-2.2.0/apps/ogr2ogr_bin.cpp:233:15
    #7 0x7f80be0f8b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/gdal-2.2.0/ogr/ogrsf_frmts/ntf/ntffilereader.cpp:292 NTFFileReader::Open(char const*)

Attachments (1)

test001.gz (45 bytes) - added by geeknik 2 years ago.

Download all attachments as: .zip

Change History (2)

Changed 2 years ago by geeknik

Attachment: test001.gz added

comment:1 Changed 2 years ago by Even Rouault

Milestone: 2.2.1
Resolution: fixed
Status: newclosed

@geeknik GDAL is now accepted in the oss-fuzz project, which uses AFL and libfuzzer underneath, and in the recent weeks we have fixed ~ 300 bugs, and I've just verified that the one you mention has been fixed. So currently if you run it with GDAL 2.2.0, you're likely going to report the same bugs, which will make loose time of your and our side. If you want to go on fuzzing on your side, please do it on the latest version of the trunk development version to make sure you're running with the most up-to-date version.

Note: See TracTickets for help on using tickets.