Bug 561788 - Buffer overflow detected in wcstools
Summary: Buffer overflow detected in wcstools
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: wcstools
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Sergio Pascual
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 559863
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-04 10:26 UTC by Sergio Pascual
Modified: 2015-01-24 00:46 UTC (History)
2 users (show)

Fixed In Version:
Clone Of: 559863
Environment:
Last Closed: 2015-01-24 00:46:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Sergio Pascual 2010-02-04 10:26:55 UTC
+++ This bug was initially created as a clone of Bug #559863 +++

Description of problem:

When using wcstools in FC12, version 3.7.0-8.fc12.x86_64, within a c++ program to read a FITS file image with a long header, the program exits anormaly giving the following error:

*** buffer overflow detected ***: postager terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x38c2af75e7]
/lib64/libc.so.6[0x38c2af5600]
/usr/lib64/libwc.so.0(wcstype+0x1bc)[0x38c162cf1c]
/usr/lib64/libwc.so.0(wcsinitc+0xe7b)[0x38c16261ab]
/usr/lib64/libwc.so.0(wcsinit+0x13)[0x38c1627e73]
~/lib/libcmine.so.0(_Z5getxySsddRdS_+0xba)[0x7f774f2a3459]
~/lib/libcmine.so.0(_Z5getxySsffRfS_+0x84)[0x7f774f2a7541]
postager(main+0x1c2d)[0x40a0cd]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x38c2a1eb1d]
postager[0x404b49]
======= Memory map: ========
00400000-00422000 r-xp 00000000 fd:02 76808352                           ~/src/postager
00622000-00623000 rw-p 00022000 fd:02 76808352                           ~/src/postager
00623000-00624000 rw-p 00000000 00:00 0 
016c5000-016e6000 rw-p 00000000 00:00 0                                  [heap]
38c1200000-38c121e000 r-xp 00000000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141d000-38c141e000 r--p 0001d000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141e000-38c141f000 rw-p 0001e000 fd:00 873791                         /lib64/ld-2.11.1.so
38c141f000-38c1420000 rw-p 00000000 00:00 0 
38c1600000-38c16b1000 r-xp 00000000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c16b1000-38c18b0000 ---p 000b1000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b0000-38c18b4000 rw-p 000b0000 fd:00 383867                         /usr/lib64/libwcs.so.0.0.0
38c18b4000-38c18b8000 rw-p 00000000 00:00 0 
38c1a00000-38c1a03000 r-xp 00000000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1a03000-38c1c02000 ---p 00003000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1c02000-38c1c03000 rw-p 00002000 fd:00 874881                         /lib64/libcom_err.so.2.1
38c1e00000-38c1f6f000 r-xp 00000000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c1f6f000-38c216e000 ---p 0016f000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c216e000-38c2190000 rw-p 0016e000 fd:00 384515                         /usr/lib64/libcrypto.so.1.0.0
38c2190000-38c2194000 rw-p 00000000 00:00 0 
38c2200000-38c2209000 r-xp 00000000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2209000-38c2408000 ---p 00009000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2408000-38c2409000 rw-p 00008000 fd:00 874879                         /lib64/libkrb5support.so.0.1
38c2600000-38c262d000 r-xp 00000000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c262d000-38c282d000 ---p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c282d000-38c282f000 rw-p 0002d000 fd:00 874883                         /lib64/libgssapi_krb5.so.2.2
38c2a00000-38c2b6f000 r-xp 00000000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2b6f000-38c2d6f000 ---p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d6f000-38c2d73000 r--p 0016f000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d73000-38c2d74000 rw-p 00173000 fd:00 873794                         /lib64/libc-2.11.1.so
38c2d74000-38c2d79000 rw-p 00000000 00:00 0 
38c2e00000-38c2e83000 r-xp 00000000 fd:00 874871                         /lib64/libm-2.11.1.so
38c2e83000-38c3082000 ---p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3082000-38c3083000 r--p 00082000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3083000-38c3084000 rw-p 00083000 fd:00 874871                         /lib64/libm-2.11.1.so
38c3200000-38c3202000 r-xp 00000000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3202000-38c3402000 ---p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3402000-38c3403000 r--p 00002000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3403000-38c3404000 rw-p 00003000 fd:00 874268                         /lib64/libdl-2.11.1.so
38c3600000-38c3617000 r-xp 00000000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3617000-38c3816000 ---p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3816000-38c3817000 r--p 00016000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3817000-38c3818000 rw-p 00017000 fd:00 874836                         /lib64/libpthread-2.11.1.so
38c3818000-38c381c000 rw-p 00000000 00:00 0 
38c3a00000-38c3a15000 r-xp 00000000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3a15000-38c3c14000 ---p 00015000 fd:00 874869                         /lib64/libz.so.1.2.3
38c3c14000-38c3c15000 rw-p 00014000 fd:00 874869                         /lib64/libz.so.1.2.3
38c4200000-38c421c000 r-xp 00000000 fd:00 874866                         /lib64/libselinux.so.1
38c421c000-38c441b000 ---p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441b000-38c441c000 r--p 0001b000 fd:00 874866                         /lib64/libselinux.so.1
38c441c000-38c441d000 rw-p 0001c000 fd:00 874866                         /lib64/libselinux.so.1
38c441d000-38c441e000 rw-p 00000000 00:00 0 
38c4a00000-38c4a15000 r-xp 00000000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4a15000-38c4c15000 ---p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c15000-38c4c16000 r--p 00015000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c16000-38c4c17000 rw-p 00016000 fd:00 874865                         /lib64/libresolv-2.11.1.so
38c4c17000-38c4c19000 rw-p 00000000 00:00 0 
38c5200000-38c521b000 r-xp 00000000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c521b000-38c541a000 ---p 0001b000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c541a000-38c541b000 rw-p 0001a000 fd:00 383880                         /usr/lib64/libxcb.so.1.1.0
38c5600000-38c5602000 r-xp 00000000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5602000-38c5802000 ---p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5802000-38c5803000 rw-p 00002000 fd:00 383876                         /usr/lib64/libXau.so.6.0.0
38c5a00000-38c5b39000 r-xp 00000000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5b39000-38c5d39000 ---p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c5d39000-38c5d3f000 rw-p 00139000 fd:00 383910                         /usr/lib64/libX11.so.6.3.0
38c6a00000-38c6a37000 r-xp 00000000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6a37000-38c6c36000 ---p 00037000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0
38c6c36000-38c6c37000 rw-p 00036000 fd:00 844088                         /usr/lib64/libgslcblas.so.0.0.0Abort


Version-Release number of selected component (if applicable): 3.7.0-8.fc12.x86_64


How reproducible: Always


Steps to Reproduce:
1.Read an image with a long header and RA---TAN-SIP, DEC--TAN-SIP WCS system. 
2.Try to use wcsinit.
3.
  
Actual results: Program Aborted before wcsinit finishes.


Expected results: wcsinit should run and allow to use other wcstools functions.


Additional info:

    The problem occurs when calling wcsinit.

    Problem goes away if header of FITS file is edited and CTYPE1 and CTYPE2 keyword values are changed from RA---TAN-SIP and DEC--TAN-SIP to RA---TAN and DEC--TAN. 

    Problem is not existent when working with the same original FITS image in FC11, wcstools version 3.7.0-7.fc11.x86_64.

    Problem is not existent when using own compilation of wcstools version 3.8.1.

--- Additional comment from sergio.pasra on 2010-01-29 08:08:54 EST ---

Pablo, thanks for the bug report.

Could you put somewhere a sample FITS that makes the application crash?

--- Additional comment from pgperez.ucm.es on 2010-01-29 10:59:41 EST ---

Here it is:

http://guaix.fis.ucm.es/~pgperez/temp/thdfn_all_ch1_m.fits

And the code I was running:

struct WorldCoor *rwcs;
string rname="thdfn_all_ch1_m.fits";
char *header;
int lhead,nbhead;
rfile=new char [rname.length()+1];
strcpy(rfile,rname.c_str());
header=fitsrhead(rfile,&lhead,&nbhead);
rwcs=wcsinit(header);
//Abort is produced in the previous line!!!!

wcs2pix(rwcs,esa1,esa2,&wx,&wy,&off);
...

--- Additional comment from sergio.pasra on 2010-02-01 07:24:21 EST ---

I'm testing wcstools 3.8.1

The size of field c1type in struct WorldCoor is 9, but the value copied into it is 'RA---TAN-SIP', whose length is 12. There are other fields with numeric values, such as radecsys[32] or ctype[9][9]. I don't feel I can fix the bug without the danger of creating new problems

I will report the bug upstream,
If the maintainer creates a fix, I can patch the fedora package

--- Additional comment from updates on 2010-02-03 13:44:26 EST ---

wcstools-3.8.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc12

--- Additional comment from updates on 2010-02-03 13:45:42 EST ---

wcstools-3.8.1-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wcstools-3.8.1-1.fc11.1

--- Additional comment from pgperez.ucm.es on 2010-02-04 04:03:25 EST ---

wcstools-3.8.1-1.fc12 seems to have solved the issue. And it has also solved a related problem in ds9, which aborted when loading the same type of image. Thanks.


Note You need to log in before you can comment on or make changes to this bug.