Opened 6 years ago

Closed 5 years ago

#858 closed defect (fixed)

LineIntersector sanitizer failure

Reported by: goatbar Owned by: geos-devel@…
Priority: major Milestone: 3.6.4
Component: Default Version: 3.6.2
Severity: Unassigned Keywords:
Cc:

Description

Fails with both ASAN and MSAN with geos synced to aprox October (and older versions too) 

==4928==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7fc9ed11edbf in geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() geos/src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:7
    #1 0x7fc9ed11ee0c in geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector() geos/src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:38:1
    #2 0x7fc9ed100444 in std::unique_ptr<geos::geomgraph::index::EdgeSetIntersector, std::default_delete<geos::geomgraph::index::EdgeSetIntersector> >::~unique_ptr() crosstool/v18/stable/toolchain/bin/../lib/gcc/x86_64-grtev4-linux-gnu/4.9.x-google/../../../../x86_64-grtev4-linux-gnu/include/c++/4.9.x-google/bits/unique_ptr.h:236:4
    #3 0x7fc9ed0fdfa4 in geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, bool, geos::geom::Envelope const*) geos/src/geomgraph/GeometryGraph.cpp:401:1
    #4 0x7fc9ed0fd9f2 in geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&, bool, geos::geom::Envelope const*) geos/src/geomgraph/GeometryGraph.cpp:366:9
    #5 0x7fc9ed1a0937 in geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry const*) geos/src/operation/IsSimpleOp.cpp:174:48
    #6 0x7fc9ed1a06ba in geos::operation::IsSimpleOp::isSimple() geos/src/operation/IsSimpleOp.cpp
    #7 0x7fc9ed095ffb in geos::geom::Geometry::isSimple() const geos/src/geom/Geometry.cpp:866:12
    #8 0x7fc9ed022fd2 in GEOSisSimple_r geos/capi/geos_ts_c.cpp:1722:20
    #9 0x7fc9edeb15dd in OGRGeometry::IsSimple() const gdal/ogr/ogrgeometry.cpp:2200:19
    #10 0x562532e2db54 in (anonymous namespace)::OgrGemeometryFactoryWkb_b69202526_Test::TestBody() gdal/autotest2/cpp/ogr/ogrgeometryfactory_test.cc:389:3
    #11 0x7fc9e8b770e9 in testing::Test::Run() gtest/src/gtest.cc:2478:5
    #12 0x7fc9e8b77f6a in testing::TestInfo::Run() gtest/src/gtest.cc:2654:11
    #13 0x7fc9e8b78922 in testing::TestCase::Run() gtest/src/gtest.cc:2772:28
    #14 0x7fc9e8b840ba in testing::internal::UnitTestImpl::RunAllTests() gtest/src/gtest.cc:4690:43
    #15 0x7fc9e8b83aa4 in testing::UnitTest::Run() gtest/src/gtest.cc:4309:10
    #16 0x562532e30733 in main gdal/autotest2/cpp/util/gunit_main.cc:19:10

SUMMARY: MemorySanitizer: use-of-uninitialized-value geos/src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:7 in geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector()

Reproduces with this gunit based test. Be warned that this data is generated by a fuzzer, so it's likely pretty crazy. 

TEST(OgrGemeometryFactoryWkb, b69202526) {
  constexpr char kData[] =
      "\x00\x00\x00\x00\x02\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x24\x04\x24\x24\x24\x24\x24\x24\x24"
      "\x24\x24\x24\x24\x28\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\x3b"
      "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x40\x00\x01\x08\x00"
      "\x00\x00\x03\x00\x00\x00\x3b\x01\x98\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x29\x00"
      "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x49\x00\x01\xf3\x4e\x53\x74\x37"
      "\x6c\x6f\x63\x61\x6c\x65\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x28\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "\xfb\x00\x00\x00\x00\x00\x01\x07\x00\x00\x00\x00\x00\x3a\x00\x00\x00"
      "\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

  OGRGeometry *geomptr = nullptr;

  size_t size = ARRAYSIZE(kData);
  LOG(INFO) << "size: " << size;
  auto variant = wkbVariantOldOgc;
  int bytes_consumed = 0;
  auto data = reinterpret_cast<const unsigned char *>(kData);
  OGRGeometryFactory::createFromWkb(data, nullptr, &geomptr, size, variant,
                                    bytes_consumed);
  ASSERT_EQ(233, bytes_consumed);
  ASSERT_NE(nullptr, geomptr);
  EXPECT_TRUE(geomptr->IsSimple());  // <-- Sanitizers fail here
}

Change History (4)

comment:1 by goatbar, 6 years ago

Summary: LinIntersector sanitizer failureLineIntersector sanitizer failure

comment:2 by robe, 6 years ago

Milestone: 3.6.33.6.4

comment:3 by dbaston, 5 years ago

Confirmed invalid read in master using Valgrind. Converted example to GEOS test here: https://github.com/dbaston/libgeos/commit/c487768ede97ea3d4ab78e16f67bb37f9dd3c09d

comment:4 by Daniel Baston <dbaston@…>, 5 years ago

Resolution: fixed
Status: newclosed

In 0bf5167/git:

Fix invalid read on exception in IsValidOp

Fixes #858

Note: See TracTickets for help on using tickets.