Bug 1652611 - There is an illegal address access at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:532) in libLAS while will cause dos attack.
Summary: There is an illegal address access at liblas::SpatialReference::GetGTIF()(src...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: liblas
Version: 31
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Devrim Gündüz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:16 UTC by shuitao gan
Modified: 2019-08-13 19:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
./las2pg POC2 (440 bytes, application/octet-stream)
2018-11-22 13:16 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-11-22 13:16:24 UTC
Created attachment 1507937 [details]
./las2pg POC2

version: libLAS2.4
Summary: 

There is an illegal address access at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:532) in libLAS while will cause dos attack.

Description:

The gdb debug is as follows:

$./las2pg POC2 

ASAN:SIGSEGV
=================================================================
==40202==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fce7b1236fa bp 0x7ffc9bbfdda0 sp 0x7ffc9bbfd528 T0)
    #0 0x7fce7b1236f9 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b6f9)
    #1 0x7fce7b967605 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x70605)
    #2 0x7fce7b47904e in ST_SetKey (/usr/lib/x86_64-linux-gnu/libgeotiff.so.2+0x1704e)
    #3 0x7fce7a4a6749 in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:532
    #4 0x7fce7a4a8681 in liblas::SpatialReference::SpatialReference(std::vector<liblas::VariableRecord, std::allocator<liblas::VariableRecord> > const&) /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:102
    #5 0x7fce7a4fed58 in liblas::detail::reader::Header::ReadVLRs() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:389
    #6 0x7fce7a50253d in liblas::detail::reader::Header::ReadHeader() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:272
    #7 0x7fce7a44c1f6 in liblas::ReaderFactory::CreateWithStream(std::istream&) /home/company/real_sanitize/libLAS-master/src/factory.cpp:92
    #8 0x7fce7b6cad4f in LASReader_Create /home/company/real_sanitize/libLAS-master/src/c_api.cpp:248
    #9 0x403701 in main /home/company/real_sanitize/libLAS-master/apps/las2pg.c:424
    #10 0x7fce7b0b8a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #11 0x404b88 in _start (/home/company/real_sanitize/libLAS-master/build/install/bin/las2pg+0x404b88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==40202==ABORTING

Comment 1 Ben Cotton 2019-08-13 16:57:34 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 2 Ben Cotton 2019-08-13 19:40:27 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.


Note You need to log in before you can comment on or make changes to this bug.