#7127 closed defect (fixed)
kml heap-use-after-free found by fuzzer
Reported by: | Kurt Schwehr | Owned by: | warmerdam |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | default | Version: | unspecified |
Severity: | normal | Keywords: | kml fuzzing |
Cc: |
Description (last modified by )
==475427==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000092900 at pc 0x0000007c611a bp 0x7ffcbfe18a90 sp 0x7ffcbfe18a88 READ of size 8 at 0x606000092900 thread T0 #0 0x7c6119 in KMLNode::~KMLNode() third_party/gdal/ogr/ogrsf_frmts/kml/kmlnode.cpp:132:20 #1 0x7d365d in KML::parse() third_party/gdal/ogr/ogrsf_frmts/kml/kml.cpp:134:17 #2 0x5ec22c in OGRKMLDataSource::Open(char const*, int) third_party/gdal/ogr/ogrsf_frmts/kml/ogrkmldatasource.cpp:149:22 #3 0x50ac05 in LLVMFuzzerTestOneInput third_party/gdal/autotest2/cpp/ogr/ogrsf_frmts/kml/kmldataset_fuzzer.cc:38:31
Minimized crash case for the fuzzer
<i/>
Attachments (1)
Change History (5)
by , 6 years ago
Attachment: | minimized-from-283e30738ba30188bd38bec4419f1069da29a6ee.kml added |
---|
comment:1 by , 6 years ago
Description: | modified (diff) |
---|
comment:3 by , 6 years ago
Kurt, this is far from being a valid KML file that triggers the KML driver with the nominal code. I couldn't exactly reproduce this issue with Valgrind, but got something similar by disabling both Identify check and !poKMLFile_->isValid() test in OGRKMLDataSource::Open(). I'm not sure though of the value of removing existing checks that prevent such issues in practice. We're just giving ourselves more work than needed.
comment:4 by , 6 years ago
This is the kind of stuff that makes me hopeful long term sustainability with GDAL for me...
Note:
See TracTickets
for help on using tickets.
minimal crash case