Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow related to non-DE9IM argument for GEOSRelatePatternMatch_r #1084

Closed
stevenagy opened this issue Apr 26, 2024 · 0 comments · Fixed by #1089
Closed

stack-buffer-overflow related to non-DE9IM argument for GEOSRelatePatternMatch_r #1084

stevenagy opened this issue Apr 26, 2024 · 0 comments · Fixed by #1089

Comments

@stevenagy
Copy link

stevenagy commented Apr 26, 2024

The following program:

#include <geos_c.h>
int main(int argc, char *argv[])
{
      GEOSContextHandle_t handle = GEOS_init_r();
      GEOSRelatePatternMatch_r(handle, "0000000000",  "111111111");
      return 0;
}

Results in the following stack buffer overflow:

==920298==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdde4 at pc 0x555555a7f3ee bp 0x7fffffffdcb0 sp 0x7fffffffdca8
WRITE of size 4 at 0x7fffffffdde4 thread T0
    #0 0x555555a7f3ed in geos::geom::IntersectionMatrix::set(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/geos/lib_asan/src/geom/IntersectionMatrix.cpp:152:26
    #1 0x55555593506d in GEOSRelatePatternMatch_r::$_11::operator()() const /home/geos/lib_asan/capi/geos_ts_c.cpp:646:32
    #2 0x55555593506d in decltype(fp0) execute<GEOSRelatePatternMatch_r::$_11>(GEOSContextHandle_HS*, std::conditional<std::is_same<decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()()), bool>::value, char, decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()())>::type, GEOSRelatePatternMatch_r::$_11&&) /home/geos/lib_asan/capi/geos_ts_c.cpp:406:16
    #3 0x555555934dc1 in GEOSRelatePatternMatch_r 
    #4 0x555555930744 in main 
    #5 0x7ffff7029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7ffff7029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x5555558704b4 in _start (BuildId: f2f0d6aa8fcc88fc49bab5d846274260243ce696)

Address 0x7fffffffdde4 is located in stack of thread T0 at offset 228 in frame
    #0 0x555555934e7f in decltype(fp0) execute<GEOSRelatePatternMatch_r::$_11>(GEOSContextHandle_HS*, std::conditional<std::is_same<decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()()), bool>::value, char, decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()())>::type, GEOSRelatePatternMatch_r::$_11&&) /home/geos/lib_asan/capi/geos_ts_c.cpp:395

  This frame has 5 object(s):
    [32, 64) 'm.i' (line 644)
    [96, 97) 'ref.tmp.i' (line 644)
    [112, 144) 'p.i' (line 645)
    [176, 177) 'ref.tmp8.i' (line 645)
    [192, 228) 'im.i' (line 646) <== Memory access at offset 228 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/geos/lib_asan/src/geom/IntersectionMatrix.cpp:152:26 in geos::geom::IntersectionMatrix::set(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
Shadow bytes around the buggy address:
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ba0: f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 f8 f2 00 00
=>0x10007fff7bb0: 00 00 f2 f2 f2 f2 f8 f2 00 00 00 00[04]f3 f3 f3
  0x10007fff7bc0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x10007fff7be0: 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==920298==ABORTING

The triggering condition appears to be when the second argument to GEOSRelatePatternMatch_r (char * mat) has size larger than 9 (i.e., is not DE9IM-compliant). However, the crash does not occur when only the third argument (char * pat) exceeds 9 in size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant