Bug 1652610 - There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.
Summary: There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/sp...
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: liblas
Version: rawhide
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Devrim Gündüz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:15 UTC by shuitao gan
Modified: 2018-11-22 13:15 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
./las2pg POC1 (440 bytes, application/octet-stream)
2018-11-22 13:15 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-11-22 13:15:05 UTC
Created attachment 1507936 [details]
./las2pg POC1

version: libLAS2.4
Summary: 

There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Description:

The gdb debug is as follows:

$./las2pg POC1 

=================================================================
==40200==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e400 at pc 0x7ff597100d95 bp 0x7fff485354b0 sp 0x7fff48534c58
READ of size 262208 at 0x60600000e400 thread T0
    #0 0x7ff597100d94 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cd94)
    #1 0x7ff596bf5ffd in ST_SetKey (/usr/lib/x86_64-linux-gnu/libgeotiff.so.2+0x16ffd)
    #2 0x7ff595c23475 in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:518
    #3 0x7ff595c25681 in liblas::SpatialReference::SpatialReference(std::vector<liblas::VariableRecord, std::allocator<liblas::VariableRecord> > const&) /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:102
    #4 0x7ff595c7bd58 in liblas::detail::reader::Header::ReadVLRs() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:389
    #5 0x7ff595c7f53d in liblas::detail::reader::Header::ReadHeader() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:272
    #6 0x7ff595bc91f6 in liblas::ReaderFactory::CreateWithStream(std::istream&) /home/company/real_sanitize/libLAS-master/src/factory.cpp:92
    #7 0x7ff596e47d4f in LASReader_Create /home/company/real_sanitize/libLAS-master/src/c_api.cpp:248
    #8 0x403701 in main /home/company/real_sanitize/libLAS-master/apps/las2pg.c:424
    #9 0x7ff596835a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #10 0x404b88 in _start (/home/company/real_sanitize/libLAS-master/build/install/bin/las2pg+0x404b88)

0x60600000e400 is located 0 bytes to the right of 64-byte region [0x60600000e3c0,0x60600000e400)
allocated by thread T0 here:
    #0 0x7ff59710d8b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    #1 0x7ff595c2362b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x7ff595c2362b in __gnu_cxx::__alloc_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/ext/alloc_traits.h:182
    #3 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x7ff595c2362b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/5/bits/stl_vector.h:320
    #7 0x7ff595c2362b in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:496
    #8 0x7fff48535adf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9c80:[fa]fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9c90: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9ca0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9cb0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9cc0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==40200==ABORTING


Note You need to log in before you can comment on or make changes to this bug.