559863 – Buffer overflow detected in wcstools

Bug 559863 - Buffer overflow detected in wcstools

Summary: Buffer overflow detected in wcstools

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	wcstools
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Sergio Pascual
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	561788
TreeView+	depends on / blocked

Reported:	2010-01-29 08:31 UTC by Pablo Pérez González
Modified:	2010-02-23 05:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:	wcstools-3.8.1-1.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	561788 (view as bug list)
Environment:
Last Closed:	2010-02-23 05:24:40 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Pablo Pérez González 2010-01-29 08:31:35 UTC

Description of problem:

When using wcstools in FC12, version 3.7.0-8.fc12.x86_64, within a c++ program to read a FITS file image with a long header, the program exits anormaly giving the following error:

*** buffer overflow detected ***: postager terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x38c2af75e7]
/lib64/libc.so.6[0x38c2af5600]
/usr/lib64/libwc.so.0(wcstype+0x1bc)[0x38c162cf1c]
/usr/lib64/libwc.so.0(wcsinitc+0xe7b)[0x38c16261ab]
/usr/lib64/libwc.so.0(wcsinit+0x13)[0x38c1627e73]
~/lib/libcmine.so.0(_Z5getxySsddRdS_+0xba)[0x7f774f2a3459]
~/lib/libcmine.so.0(_Z5getxySsffRfS_+0x84)[0x7f774f2a7541]
postager(main+0x1c2d)[0x40a0cd]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x38c2a1eb1d]
postager[0x404b49]
======= Memory map: ========
00400000-00422000 r-xp 00000000 fd:02 76808352                           ~/src/postager
00622000-00623000 rw-p 00022000 fd:02 76808352                           ~/src/postager
00623000-00624000 rw-p 00000000 00:00 0 
016c5000-016e6000 rw-p 00000000 00:00 0                                  [heap]
38c1200000-38c121e000 r-xp 00000000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141d000-38c141e000 r--p 0001d000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141e000-38c141f000 rw-p 0001e000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141f000-38c1420000 rw-p 00000000 00:00 0 
38c1600000-38c16b1000 r-xp 00000000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c16b1000-38c18b0000 ---p 000b1000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b0000-38c18b4000 rw-p 000b0000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b4000-38c18b8000 rw-p 00000000 00:00 0 
38c1a00000-38c1a03000 r-xp 00000000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1a03000-38c1c02000 ---p 00003000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1c02000-38c1c03000 rw-p 00002000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1e00000-38c1f6f000 r-xp 00000000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c1f6f000-38c216e000 ---p 0016f000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c216e000-38c2190000 rw-p 0016e000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c2190000-38c2194000 rw-p 00000000 00:00 0 
38c2200000-38c2209000 r-xp 00000000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2209000-38c2408000 ---p 00009000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2408000-38c2409000 rw-p 00008000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2600000-38c262d000 r-xp 00000000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c262d000-38c282d000 ---p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c282d000-38c282f000 rw-p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c2a00000-38c2b6f000 r-xp 00000000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2b6f000-38c2d6f000 ---p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d6f000-38c2d73000 r--p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d73000-38c2d74000 rw-p 00173000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d74000-38c2d79000 rw-p 00000000 00:00 0 
38c2e00000-38c2e83000 r-xp 00000000 fd:00 874871                         /lib64/libm-2.11.1.so
38c2e83000-38c3082000 ---p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3082000-38c3083000 r--p 00082000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3083000-38c3084000 rw-p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3200000-38c3202000 r-xp 00000000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3202000-38c3402000 ---p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3402000-38c3403000 r--p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3403000-38c3404000 rw-p 00003000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3600000-38c3617000 r-xp 00000000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3617000-38c3816000 ---p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3816000-38c3817000 r--p 00016000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3817000-38c3818000 rw-p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3818000-38c381c000 rw-p 00000000 00:00 0 
38c3a00000-38c3a15000 r-xp 00000000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3a15000-38c3c14000 ---p 00015000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3c14000-38c3c15000 rw-p 00014000 fd:00 874869                         /lib64/libz.so.1.2.3
38c4200000-38c421c000 r-xp 00000000 fd:00 874866                         /lib64/libselinux.so.1
38c421c000-38c441b000 ---p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441b000-38c441c000 r--p 0001b000 fd:00 874866                         /lib64/libselinux.so.1
38c441c000-38c441d000 rw-p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441d000-38c441e000 rw-p 00000000 00:00 0 
38c4a00000-38c4a15000 r-xp 00000000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4a15000-38c4c15000 ---p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c15000-38c4c16000 r--p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c16000-38c4c17000 rw-p 00016000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c17000-38c4c19000 rw-p 00000000 00:00 0 
38c5200000-38c521b000 r-xp 00000000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c521b000-38c541a000 ---p 0001b000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c541a000-38c541b000 rw-p 0001a000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c5600000-38c5602000 r-xp 00000000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5602000-38c5802000 ---p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5802000-38c5803000 rw-p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5a00000-38c5b39000 r-xp 00000000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5b39000-38c5d39000 ---p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5d39000-38c5d3f000 rw-p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c6a00000-38c6a37000 r-xp 00000000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6a37000-38c6c36000 ---p 00037000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6c36000-38c6c37000 rw-p 00036000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0Abort


Version-Release number of selected component (if applicable): 3.7.0-8.fc12.x86_64


How reproducible: Always


Steps to Reproduce:
1.Read an image with a long header and RA---TAN-SIP, DEC--TAN-SIP WCS system. 
2.Try to use wcsinit.
3.
  
Actual results: Program Aborted before wcsinit finishes.


Expected results: wcsinit should run and allow to use other wcstools functions.


Additional info:

    The problem occurs when calling wcsinit.

    Problem goes away if header of FITS file is edited and CTYPE1 and CTYPE2 keyword values are changed from RA---TAN-SIP and DEC--TAN-SIP to RA---TAN and DEC--TAN. 

    Problem is not existent when working with the same original FITS image in FC11, wcstools version 3.7.0-7.fc11.x86_64.

    Problem is not existent when using own compilation of wcstools version 3.8.1.

Comment 1 Sergio Pascual 2010-01-29 13:08:54 UTC

Pablo, thanks for the bug report.

Could you put somewhere a sample FITS that makes the application crash?

Comment 2 Pablo Pérez González 2010-01-29 15:59:41 UTC

Here it is:

http://guaix.fis.ucm.es/~pgperez/temp/thdfn_all_ch1_m.fits

And the code I was running:

struct WorldCoor *rwcs;
string rname="thdfn_all_ch1_m.fits";
char *header;
int lhead,nbhead;
rfile=new char [rname.length()+1];
strcpy(rfile,rname.c_str());
header=fitsrhead(rfile,&lhead,&nbhead);
rwcs=wcsinit(header);
//Abort is produced in the previous line!!!!

wcs2pix(rwcs,esa1,esa2,&wx,&wy,&off);
...

Comment 3 Sergio Pascual 2010-02-01 12:24:21 UTC

I'm testing wcstools 3.8.1

The size of field c1type in struct WorldCoor is 9, but the value copied into it is 'RA---TAN-SIP', whose length is 12. There are other fields with numeric values, such as radecsys[32] or ctype[9][9]. I don't feel I can fix the bug without the danger of creating new problems

I will report the bug upstream,
If the maintainer creates a fix, I can patch the fedora package

Comment 4 Fedora Update System 2010-02-03 18:44:26 UTC

wcstools-3.8.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc12

Comment 5 Fedora Update System 2010-02-03 18:45:42 UTC

wcstools-3.8.1-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc11.1

Comment 6 Pablo Pérez González 2010-02-04 09:03:25 UTC

wcstools-3.8.1-1.fc12 seems to have solved the issue. And it has also solved a related problem in ds9, which aborted when loading the same type of image. Thanks.

Comment 7 Fedora Update System 2010-02-05 01:47:33 UTC

wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update wcstools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1495

Comment 8 Fedora Update System 2010-02-05 01:49:12 UTC

wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update wcstools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1504

Comment 9 Fedora Update System 2010-02-23 05:24:35 UTC

wcstools-3.8.1-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-02-23 05:29:06 UTC

wcstools-3.8.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.