Bug 559863

Summary: Buffer overflow detected in wcstools
Product: [Fedora] Fedora Reporter: Pablo Pérez González <pgperez>
Component: wcstoolsAssignee: Sergio Pascual <sergio.pasra>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: mmahut, sergio.pasra
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wcstools-3.8.1-1.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 561788 (view as bug list) Environment:
Last Closed: 2010-02-23 05:24:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 561788    

Description Pablo Pérez González 2010-01-29 08:31:35 UTC 
Description of problem:

When using wcstools in FC12, version 3.7.0-8.fc12.x86_64, within a c++ program to read a FITS file image with a long header, the program exits anormaly giving the following error:

*** buffer overflow detected ***: postager terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x38c2af75e7]
/lib64/libc.so.6[0x38c2af5600]
/usr/lib64/libwc.so.0(wcstype+0x1bc)[0x38c162cf1c]
/usr/lib64/libwc.so.0(wcsinitc+0xe7b)[0x38c16261ab]
/usr/lib64/libwc.so.0(wcsinit+0x13)[0x38c1627e73]
~/lib/libcmine.so.0(_Z5getxySsddRdS_+0xba)[0x7f774f2a3459]
~/lib/libcmine.so.0(_Z5getxySsffRfS_+0x84)[0x7f774f2a7541]
postager(main+0x1c2d)[0x40a0cd]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x38c2a1eb1d]
postager[0x404b49]
======= Memory map: ========
00400000-00422000 r-xp 00000000 fd:02 76808352                           ~/src/postager
00622000-00623000 rw-p 00022000 fd:02 76808352                           ~/src/postager
00623000-00624000 rw-p 00000000 00:00 0 
016c5000-016e6000 rw-p 00000000 00:00 0                                  [heap]
38c1200000-38c121e000 r-xp 00000000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141d000-38c141e000 r--p 0001d000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141e000-38c141f000 rw-p 0001e000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141f000-38c1420000 rw-p 00000000 00:00 0 
38c1600000-38c16b1000 r-xp 00000000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c16b1000-38c18b0000 ---p 000b1000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b0000-38c18b4000 rw-p 000b0000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b4000-38c18b8000 rw-p 00000000 00:00 0 
38c1a00000-38c1a03000 r-xp 00000000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1a03000-38c1c02000 ---p 00003000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1c02000-38c1c03000 rw-p 00002000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1e00000-38c1f6f000 r-xp 00000000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c1f6f000-38c216e000 ---p 0016f000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c216e000-38c2190000 rw-p 0016e000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c2190000-38c2194000 rw-p 00000000 00:00 0 
38c2200000-38c2209000 r-xp 00000000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2209000-38c2408000 ---p 00009000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2408000-38c2409000 rw-p 00008000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2600000-38c262d000 r-xp 00000000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c262d000-38c282d000 ---p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c282d000-38c282f000 rw-p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c2a00000-38c2b6f000 r-xp 00000000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2b6f000-38c2d6f000 ---p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d6f000-38c2d73000 r--p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d73000-38c2d74000 rw-p 00173000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d74000-38c2d79000 rw-p 00000000 00:00 0 
38c2e00000-38c2e83000 r-xp 00000000 fd:00 874871                         /lib64/libm-2.11.1.so
38c2e83000-38c3082000 ---p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3082000-38c3083000 r--p 00082000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3083000-38c3084000 rw-p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3200000-38c3202000 r-xp 00000000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3202000-38c3402000 ---p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3402000-38c3403000 r--p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3403000-38c3404000 rw-p 00003000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3600000-38c3617000 r-xp 00000000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3617000-38c3816000 ---p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3816000-38c3817000 r--p 00016000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3817000-38c3818000 rw-p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3818000-38c381c000 rw-p 00000000 00:00 0 
38c3a00000-38c3a15000 r-xp 00000000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3a15000-38c3c14000 ---p 00015000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3c14000-38c3c15000 rw-p 00014000 fd:00 874869                         /lib64/libz.so.1.2.3
38c4200000-38c421c000 r-xp 00000000 fd:00 874866                         /lib64/libselinux.so.1
38c421c000-38c441b000 ---p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441b000-38c441c000 r--p 0001b000 fd:00 874866                         /lib64/libselinux.so.1
38c441c000-38c441d000 rw-p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441d000-38c441e000 rw-p 00000000 00:00 0 
38c4a00000-38c4a15000 r-xp 00000000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4a15000-38c4c15000 ---p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c15000-38c4c16000 r--p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c16000-38c4c17000 rw-p 00016000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c17000-38c4c19000 rw-p 00000000 00:00 0 
38c5200000-38c521b000 r-xp 00000000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c521b000-38c541a000 ---p 0001b000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c541a000-38c541b000 rw-p 0001a000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c5600000-38c5602000 r-xp 00000000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5602000-38c5802000 ---p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5802000-38c5803000 rw-p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5a00000-38c5b39000 r-xp 00000000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5b39000-38c5d39000 ---p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5d39000-38c5d3f000 rw-p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c6a00000-38c6a37000 r-xp 00000000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6a37000-38c6c36000 ---p 00037000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6c36000-38c6c37000 rw-p 00036000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0Abort


Version-Release number of selected component (if applicable): 3.7.0-8.fc12.x86_64


How reproducible: Always


Steps to Reproduce:
1.Read an image with a long header and RA---TAN-SIP, DEC--TAN-SIP WCS system. 
2.Try to use wcsinit.
3.
  
Actual results: Program Aborted before wcsinit finishes.


Expected results: wcsinit should run and allow to use other wcstools functions.


Additional info:

    The problem occurs when calling wcsinit.

    Problem goes away if header of FITS file is edited and CTYPE1 and CTYPE2 keyword values are changed from RA---TAN-SIP and DEC--TAN-SIP to RA---TAN and DEC--TAN. 

    Problem is not existent when working with the same original FITS image in FC11, wcstools version 3.7.0-7.fc11.x86_64.

    Problem is not existent when using own compilation of wcstools version 3.8.1.
Comment 1 Sergio Pascual 2010-01-29 13:08:54 UTC 
Pablo, thanks for the bug report.

Could you put somewhere a sample FITS that makes the application crash?
Comment 2 Pablo Pérez González 2010-01-29 15:59:41 UTC 
Here it is:

http://guaix.fis.ucm.es/~pgperez/temp/thdfn_all_ch1_m.fits

And the code I was running:

struct WorldCoor *rwcs;
string rname="thdfn_all_ch1_m.fits";
char *header;
int lhead,nbhead;
rfile=new char [rname.length()+1];
strcpy(rfile,rname.c_str());
header=fitsrhead(rfile,&lhead,&nbhead);
rwcs=wcsinit(header);
//Abort is produced in the previous line!!!!

wcs2pix(rwcs,esa1,esa2,&wx,&wy,&off);
...
Comment 3 Sergio Pascual 2010-02-01 12:24:21 UTC 
I'm testing wcstools 3.8.1

The size of field c1type in struct WorldCoor is 9, but the value copied into it is 'RA---TAN-SIP', whose length is 12. There are other fields with numeric values, such as radecsys[32] or ctype[9][9]. I don't feel I can fix the bug without the danger of creating new problems

I will report the bug upstream,
If the maintainer creates a fix, I can patch the fedora package
Comment 4 Fedora Update System 2010-02-03 18:44:26 UTC 
wcstools-3.8.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc12
Comment 5 Fedora Update System 2010-02-03 18:45:42 UTC 
wcstools-3.8.1-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc11.1
Comment 6 Pablo Pérez González 2010-02-04 09:03:25 UTC 
wcstools-3.8.1-1.fc12 seems to have solved the issue. And it has also solved a related problem in ds9, which aborted when loading the same type of image. Thanks.
Comment 7 Fedora Update System 2010-02-05 01:47:33 UTC 
wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update wcstools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1495
Comment 8 Fedora Update System 2010-02-05 01:49:12 UTC 
wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update wcstools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1504
Comment 9 Fedora Update System 2010-02-23 05:24:35 UTC 
wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-02-23 05:29:06 UTC 
wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.