Opened 6 years ago
Closed 5 years ago
#845 closed defect (duplicate)
Head Use-After-Free geos::geomgraph::index::SweepLineEvent::isDelete()
| Reported by: | goatbar | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 3.6.4 |
| Component: | Default | Version: | 3.6.2 |
| Severity: | Unassigned | Keywords: | |
| Cc: |
Description
Related to #835, I setup a fuzzers for geos and indirectly for geos from fuzzers on GDAL. I've hit this same bug via WKT, WKB, and GML.
I'll go with the WKT version. This is the fuzzer I'm using with GEOS and GDAL pretty much both at head.
https://github.com/schwehr/gdal-autotest2/blob/master/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc
The crazy fuzzer proof of concept WKT:
CIRCULARSTRING(. --.,-KAN-NpolygonJ-p--2 5.--0
-2, 8 ..LI. -1.--.,-NAN---Np--2
5.,- ---,0 -1 ,.
-- --)R
Calling GDAL's OGRGeometry dumpReadable, I get:
CIRCULARSTRING Z (0 0 0,0 5 -2,8 0 -1,nan 5.0 0,0 0 0,0 -1 0,0 0 0)
AddressSanitizer: heap-use-after-free
READ of size 8
#0 geos::geomgraph::index::SweepLineEvent::isDelete() include/geos/geomgraph/index/SweepLineEvent.h:56:27
#1 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:12
#2 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:38:1
#3 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:401:1
#4 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
#5 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry const*) src/operation/IsSimpleOp.cpp:174:46
#6 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
#7 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
#8 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
#9 LLVMFuzzerTestOneInput gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9
located 40 bytes inside of 56-byte region
freed here:
#0 operator delete(void*, unsigned long) llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:153:3
#1 geos::geomgraph::index::SweepLineEvent::~SweepLineEvent() src/geomgraph/index/SweepLineEvent.cpp:41:3
#2 geos::geomgraph::index::SweepLineEvent::~SweepLineEvent() src/geomgraph/index/SweepLineEvent.cpp:39:34
#3 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:24
#4 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:38:1
#5 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:401:1
#6 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
#7 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry const*) src/operation/IsSimpleOp.cpp:174:46
#8 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
#9 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
#10 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
#11 LLVMFuzzerTestOneInput gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9
previously allocated here:
#0 operator new(unsigned long) llvm/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:92:3
#1 geos::geomgraph::index::SimpleMCSweepLineIntersector::add(geos::geomgraph::Edge*, void*) src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:99:31
#2 geos::geomgraph::index::SimpleMCSweepLineIntersector::add(std::vector<geos::geomgraph::Edge*, std::allocator<geos::geomgraph::Edge*> >*, void*) src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:84:3
#3 geos::geomgraph::index::SimpleMCSweepLineIntersector::computeIntersections(std::vector<geos::geomgraph::Edge*, std::allocator<geos::geomgraph::Edge*> >*, geos::geomgraph::index::SegmentIntersector*, bool) src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:52:3
#4 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:393:7
#5 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
#6 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry const*) src/operation/IsSimpleOp.cpp:174:46
#7 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
#8 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
#9 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
#10 LLVMFuzzerTestOneInput gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9
Attachments (1)
Change History (4)
by , 6 years ago
comment:1 by , 6 years ago
| Milestone: | 3.6.3 → 3.6.4 |
|---|---|
| Version: | master → 3.6.2 |
comment:2 by , 5 years ago
I think this is probably the same issue as https://trac.osgeo.org/geos/ticket/858
Version 0, edited 5 years ago by (next)
comment:3 by , 5 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
I'm going to close out since we cannot actually duplicate. Having our own fuzzers would be nice.
Note:
See TracTickets
for help on using tickets.
wkt causing heap use after free