Bug 561788

+++ This bug was initially created as a clone of Bug #559863 +++

Description of problem:

When using wcstools in FC12, version 3.7.0-8.fc12.x86_64, within a c++ program to read a FITS file image with a long header, the program exits anormaly giving the following error:

*** buffer overflow detected ***: postager terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x38c2af75e7]
/lib64/libc.so.6[0x38c2af5600]
/usr/lib64/libwc.so.0(wcstype+0x1bc)[0x38c162cf1c]
/usr/lib64/libwc.so.0(wcsinitc+0xe7b)[0x38c16261ab]
/usr/lib64/libwc.so.0(wcsinit+0x13)[0x38c1627e73]
~/lib/libcmine.so.0(_Z5getxySsddRdS_+0xba)[0x7f774f2a3459]
~/lib/libcmine.so.0(_Z5getxySsffRfS_+0x84)[0x7f774f2a7541]
postager(main+0x1c2d)[0x40a0cd]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x38c2a1eb1d]
postager[0x404b49]
======= Memory map: ========
00400000-00422000 r-xp 00000000 fd:02 76808352                           ~/src/postager
00622000-00623000 rw-p 00022000 fd:02 76808352                           ~/src/postager
00623000-00624000 rw-p 00000000 00:00 0 
016c5000-016e6000 rw-p 00000000 00:00 0                                  [heap]
38c1200000-38c121e000 r-xp 00000000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141d000-38c141e000 r--p 0001d000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141e000-38c141f000 rw-p 0001e000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141f000-38c1420000 rw-p 00000000 00:00 0 
38c1600000-38c16b1000 r-xp 00000000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c16b1000-38c18b0000 ---p 000b1000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b0000-38c18b4000 rw-p 000b0000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b4000-38c18b8000 rw-p 00000000 00:00 0 
38c1a00000-38c1a03000 r-xp 00000000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1a03000-38c1c02000 ---p 00003000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1c02000-38c1c03000 rw-p 00002000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1e00000-38c1f6f000 r-xp 00000000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c1f6f000-38c216e000 ---p 0016f000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c216e000-38c2190000 rw-p 0016e000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c2190000-38c2194000 rw-p 00000000 00:00 0 
38c2200000-38c2209000 r-xp 00000000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2209000-38c2408000 ---p 00009000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2408000-38c2409000 rw-p 00008000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2600000-38c262d000 r-xp 00000000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c262d000-38c282d000 ---p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c282d000-38c282f000 rw-p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c2a00000-38c2b6f000 r-xp 00000000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2b6f000-38c2d6f000 ---p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d6f000-38c2d73000 r--p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d73000-38c2d74000 rw-p 00173000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d74000-38c2d79000 rw-p 00000000 00:00 0 
38c2e00000-38c2e83000 r-xp 00000000 fd:00 874871                         /lib64/libm-2.11.1.so
38c2e83000-38c3082000 ---p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3082000-38c3083000 r--p 00082000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3083000-38c3084000 rw-p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3200000-38c3202000 r-xp 00000000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3202000-38c3402000 ---p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3402000-38c3403000 r--p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3403000-38c3404000 rw-p 00003000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3600000-38c3617000 r-xp 00000000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3617000-38c3816000 ---p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3816000-38c3817000 r--p 00016000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3817000-38c3818000 rw-p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3818000-38c381c000 rw-p 00000000 00:00 0 
38c3a00000-38c3a15000 r-xp 00000000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3a15000-38c3c14000 ---p 00015000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3c14000-38c3c15000 rw-p 00014000 fd:00 874869                         /lib64/libz.so.1.2.3
38c4200000-38c421c000 r-xp 00000000 fd:00 874866                         /lib64/libselinux.so.1
38c421c000-38c441b000 ---p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441b000-38c441c000 r--p 0001b000 fd:00 874866                         /lib64/libselinux.so.1
38c441c000-38c441d000 rw-p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441d000-38c441e000 rw-p 00000000 00:00 0 
38c4a00000-38c4a15000 r-xp 00000000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4a15000-38c4c15000 ---p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c15000-38c4c16000 r--p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c16000-38c4c17000 rw-p 00016000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c17000-38c4c19000 rw-p 00000000 00:00 0 
38c5200000-38c521b000 r-xp 00000000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c521b000-38c541a000 ---p 0001b000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c541a000-38c541b000 rw-p 0001a000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c5600000-38c5602000 r-xp 00000000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5602000-38c5802000 ---p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5802000-38c5803000 rw-p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5a00000-38c5b39000 r-xp 00000000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5b39000-38c5d39000 ---p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5d39000-38c5d3f000 rw-p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c6a00000-38c6a37000 r-xp 00000000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6a37000-38c6c36000 ---p 00037000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6c36000-38c6c37000 rw-p 00036000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0Abort


Version-Release number of selected component (if applicable): 3.7.0-8.fc12.x86_64


How reproducible: Always


Steps to Reproduce:
1.Read an image with a long header and RA---TAN-SIP, DEC--TAN-SIP WCS system. 
2.Try to use wcsinit.
3.
  
Actual results: Program Aborted before wcsinit finishes.


Expected results: wcsinit should run and allow to use other wcstools functions.


Additional info:

    The problem occurs when calling wcsinit.

    Problem goes away if header of FITS file is edited and CTYPE1 and CTYPE2 keyword values are changed from RA---TAN-SIP and DEC--TAN-SIP to RA---TAN and DEC--TAN. 

    Problem is not existent when working with the same original FITS image in FC11, wcstools version 3.7.0-7.fc11.x86_64.

    Problem is not existent when using own compilation of wcstools version 3.8.1.

--- Additional comment from sergio.pasra on 2010-01-29 08:08:54 EST ---

Pablo, thanks for the bug report.

Could you put somewhere a sample FITS that makes the application crash?

--- Additional comment from pgperez.ucm.es on 2010-01-29 10:59:41 EST ---

Here it is:

http://guaix.fis.ucm.es/~pgperez/temp/thdfn_all_ch1_m.fits

And the code I was running:

struct WorldCoor *rwcs;
string rname="thdfn_all_ch1_m.fits";
char *header;
int lhead,nbhead;
rfile=new char [rname.length()+1];
strcpy(rfile,rname.c_str());
header=fitsrhead(rfile,&lhead,&nbhead);
rwcs=wcsinit(header);
//Abort is produced in the previous line!!!!

wcs2pix(rwcs,esa1,esa2,&wx,&wy,&off);
...

--- Additional comment from sergio.pasra on 2010-02-01 07:24:21 EST ---

I'm testing wcstools 3.8.1

The size of field c1type in struct WorldCoor is 9, but the value copied into it is 'RA---TAN-SIP', whose length is 12. There are other fields with numeric values, such as radecsys[32] or ctype[9][9]. I don't feel I can fix the bug without the danger of creating new problems

I will report the bug upstream,
If the maintainer creates a fix, I can patch the fedora package

--- Additional comment from updates on 2010-02-03 13:44:26 EST ---

wcstools-3.8.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc12

--- Additional comment from updates on 2010-02-03 13:45:42 EST ---

wcstools-3.8.1-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc11.1

--- Additional comment from pgperez.ucm.es on 2010-02-04 04:03:25 EST ---

wcstools-3.8.1-1.fc12 seems to have solved the issue. And it has also solved a related problem in ds9, which aborted when loading the same type of image. Thanks.