| Summary: | Buffer overflow detected in wcstools | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pablo Pérez González <pgperez> | |
| Component: | wcstools | Assignee: | Sergio Pascual <sergio.pasra> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 12 | CC: | mmahut, sergio.pasra | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | wcstools-3.8.1-1.fc12 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 561788 (view as bug list) | Environment: | ||
| Last Closed: | 2010-02-23 05:24:40 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 561788 | |||
Pablo, thanks for the bug report. Could you put somewhere a sample FITS that makes the application crash? Here it is: http://guaix.fis.ucm.es/~pgperez/temp/thdfn_all_ch1_m.fits And the code I was running: struct WorldCoor *rwcs; string rname="thdfn_all_ch1_m.fits"; char *header; int lhead,nbhead; rfile=new char [rname.length()+1]; strcpy(rfile,rname.c_str()); header=fitsrhead(rfile,&lhead,&nbhead); rwcs=wcsinit(header); //Abort is produced in the previous line!!!! wcs2pix(rwcs,esa1,esa2,&wx,&wy,&off); ... I'm testing wcstools 3.8.1 The size of field c1type in struct WorldCoor is 9, but the value copied into it is 'RA---TAN-SIP', whose length is 12. There are other fields with numeric values, such as radecsys[32] or ctype[9][9]. I don't feel I can fix the bug without the danger of creating new problems I will report the bug upstream, If the maintainer creates a fix, I can patch the fedora package wcstools-3.8.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc12 wcstools-3.8.1-1.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc11.1 wcstools-3.8.1-1.fc12 seems to have solved the issue. And it has also solved a related problem in ds9, which aborted when loading the same type of image. Thanks. wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update wcstools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1495 wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update wcstools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1504 wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: When using wcstools in FC12, version 3.7.0-8.fc12.x86_64, within a c++ program to read a FITS file image with a long header, the program exits anormaly giving the following error: *** buffer overflow detected ***: postager terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x38c2af75e7] /lib64/libc.so.6[0x38c2af5600] /usr/lib64/libwc.so.0(wcstype+0x1bc)[0x38c162cf1c] /usr/lib64/libwc.so.0(wcsinitc+0xe7b)[0x38c16261ab] /usr/lib64/libwc.so.0(wcsinit+0x13)[0x38c1627e73] ~/lib/libcmine.so.0(_Z5getxySsddRdS_+0xba)[0x7f774f2a3459] ~/lib/libcmine.so.0(_Z5getxySsffRfS_+0x84)[0x7f774f2a7541] postager(main+0x1c2d)[0x40a0cd] /lib64/libc.so.6(__libc_start_main+0xfd)[0x38c2a1eb1d] postager[0x404b49] ======= Memory map: ======== 00400000-00422000 r-xp 00000000 fd:02 76808352 ~/src/postager 00622000-00623000 rw-p 00022000 fd:02 76808352 ~/src/postager 00623000-00624000 rw-p 00000000 00:00 0 016c5000-016e6000 rw-p 00000000 00:00 0 [heap] 38c1200000-38c121e000 r-xp 00000000 fd:00 873791 /lib64/ld-2.11.1.so 38c141d000-38c141e000 r--p 0001d000 fd:00 873791 /lib64/ld-2.11.1.so 38c141e000-38c141f000 rw-p 0001e000 fd:00 873791 /lib64/ld-2.11.1.so 38c141f000-38c1420000 rw-p 00000000 00:00 0 38c1600000-38c16b1000 r-xp 00000000 fd:00 383867 /usr/lib64/libwcs.so.0.0.0 38c16b1000-38c18b0000 ---p 000b1000 fd:00 383867 /usr/lib64/libwcs.so.0.0.0 38c18b0000-38c18b4000 rw-p 000b0000 fd:00 383867 /usr/lib64/libwcs.so.0.0.0 38c18b4000-38c18b8000 rw-p 00000000 00:00 0 38c1a00000-38c1a03000 r-xp 00000000 fd:00 874881 /lib64/libcom_err.so.2.1 38c1a03000-38c1c02000 ---p 00003000 fd:00 874881 /lib64/libcom_err.so.2.1 38c1c02000-38c1c03000 rw-p 00002000 fd:00 874881 /lib64/libcom_err.so.2.1 38c1e00000-38c1f6f000 r-xp 00000000 fd:00 384515 /usr/lib64/libcrypto.so.1.0.0 38c1f6f000-38c216e000 ---p 0016f000 fd:00 384515 /usr/lib64/libcrypto.so.1.0.0 38c216e000-38c2190000 rw-p 0016e000 fd:00 384515 /usr/lib64/libcrypto.so.1.0.0 38c2190000-38c2194000 rw-p 00000000 00:00 0 38c2200000-38c2209000 r-xp 00000000 fd:00 874879 /lib64/libkrb5support.so.0.1 38c2209000-38c2408000 ---p 00009000 fd:00 874879 /lib64/libkrb5support.so.0.1 38c2408000-38c2409000 rw-p 00008000 fd:00 874879 /lib64/libkrb5support.so.0.1 38c2600000-38c262d000 r-xp 00000000 fd:00 874883 /lib64/libgssapi_krb5.so.2.2 38c262d000-38c282d000 ---p 0002d000 fd:00 874883 /lib64/libgssapi_krb5.so.2.2 38c282d000-38c282f000 rw-p 0002d000 fd:00 874883 /lib64/libgssapi_krb5.so.2.2 38c2a00000-38c2b6f000 r-xp 00000000 fd:00 873794 /lib64/libc-2.11.1.so 38c2b6f000-38c2d6f000 ---p 0016f000 fd:00 873794 /lib64/libc-2.11.1.so 38c2d6f000-38c2d73000 r--p 0016f000 fd:00 873794 /lib64/libc-2.11.1.so 38c2d73000-38c2d74000 rw-p 00173000 fd:00 873794 /lib64/libc-2.11.1.so 38c2d74000-38c2d79000 rw-p 00000000 00:00 0 38c2e00000-38c2e83000 r-xp 00000000 fd:00 874871 /lib64/libm-2.11.1.so 38c2e83000-38c3082000 ---p 00083000 fd:00 874871 /lib64/libm-2.11.1.so 38c3082000-38c3083000 r--p 00082000 fd:00 874871 /lib64/libm-2.11.1.so 38c3083000-38c3084000 rw-p 00083000 fd:00 874871 /lib64/libm-2.11.1.so 38c3200000-38c3202000 r-xp 00000000 fd:00 874268 /lib64/libdl-2.11.1.so 38c3202000-38c3402000 ---p 00002000 fd:00 874268 /lib64/libdl-2.11.1.so 38c3402000-38c3403000 r--p 00002000 fd:00 874268 /lib64/libdl-2.11.1.so 38c3403000-38c3404000 rw-p 00003000 fd:00 874268 /lib64/libdl-2.11.1.so 38c3600000-38c3617000 r-xp 00000000 fd:00 874836 /lib64/libpthread-2.11.1.so 38c3617000-38c3816000 ---p 00017000 fd:00 874836 /lib64/libpthread-2.11.1.so 38c3816000-38c3817000 r--p 00016000 fd:00 874836 /lib64/libpthread-2.11.1.so 38c3817000-38c3818000 rw-p 00017000 fd:00 874836 /lib64/libpthread-2.11.1.so 38c3818000-38c381c000 rw-p 00000000 00:00 0 38c3a00000-38c3a15000 r-xp 00000000 fd:00 874869 /lib64/libz.so.1.2.3 38c3a15000-38c3c14000 ---p 00015000 fd:00 874869 /lib64/libz.so.1.2.3 38c3c14000-38c3c15000 rw-p 00014000 fd:00 874869 /lib64/libz.so.1.2.3 38c4200000-38c421c000 r-xp 00000000 fd:00 874866 /lib64/libselinux.so.1 38c421c000-38c441b000 ---p 0001c000 fd:00 874866 /lib64/libselinux.so.1 38c441b000-38c441c000 r--p 0001b000 fd:00 874866 /lib64/libselinux.so.1 38c441c000-38c441d000 rw-p 0001c000 fd:00 874866 /lib64/libselinux.so.1 38c441d000-38c441e000 rw-p 00000000 00:00 0 38c4a00000-38c4a15000 r-xp 00000000 fd:00 874865 /lib64/libresolv-2.11.1.so 38c4a15000-38c4c15000 ---p 00015000 fd:00 874865 /lib64/libresolv-2.11.1.so 38c4c15000-38c4c16000 r--p 00015000 fd:00 874865 /lib64/libresolv-2.11.1.so 38c4c16000-38c4c17000 rw-p 00016000 fd:00 874865 /lib64/libresolv-2.11.1.so 38c4c17000-38c4c19000 rw-p 00000000 00:00 0 38c5200000-38c521b000 r-xp 00000000 fd:00 383880 /usr/lib64/libxcb.so.1.1.0 38c521b000-38c541a000 ---p 0001b000 fd:00 383880 /usr/lib64/libxcb.so.1.1.0 38c541a000-38c541b000 rw-p 0001a000 fd:00 383880 /usr/lib64/libxcb.so.1.1.0 38c5600000-38c5602000 r-xp 00000000 fd:00 383876 /usr/lib64/libXau.so.6.0.0 38c5602000-38c5802000 ---p 00002000 fd:00 383876 /usr/lib64/libXau.so.6.0.0 38c5802000-38c5803000 rw-p 00002000 fd:00 383876 /usr/lib64/libXau.so.6.0.0 38c5a00000-38c5b39000 r-xp 00000000 fd:00 383910 /usr/lib64/libX11.so.6.3.0 38c5b39000-38c5d39000 ---p 00139000 fd:00 383910 /usr/lib64/libX11.so.6.3.0 38c5d39000-38c5d3f000 rw-p 00139000 fd:00 383910 /usr/lib64/libX11.so.6.3.0 38c6a00000-38c6a37000 r-xp 00000000 fd:00 844088 /usr/lib64/libgslcblas.so.0.0.0 38c6a37000-38c6c36000 ---p 00037000 fd:00 844088 /usr/lib64/libgslcblas.so.0.0.0 38c6c36000-38c6c37000 rw-p 00036000 fd:00 844088 /usr/lib64/libgslcblas.so.0.0.0Abort Version-Release number of selected component (if applicable): 3.7.0-8.fc12.x86_64 How reproducible: Always Steps to Reproduce: 1.Read an image with a long header and RA---TAN-SIP, DEC--TAN-SIP WCS system. 2.Try to use wcsinit. 3. Actual results: Program Aborted before wcsinit finishes. Expected results: wcsinit should run and allow to use other wcstools functions. Additional info: The problem occurs when calling wcsinit. Problem goes away if header of FITS file is edited and CTYPE1 and CTYPE2 keyword values are changed from RA---TAN-SIP and DEC--TAN-SIP to RA---TAN and DEC--TAN. Problem is not existent when working with the same original FITS image in FC11, wcstools version 3.7.0-7.fc11.x86_64. Problem is not existent when using own compilation of wcstools version 3.8.1.