You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
==920298==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdde4 at pc 0x555555a7f3ee bp 0x7fffffffdcb0 sp 0x7fffffffdca8
WRITE of size 4 at 0x7fffffffdde4 thread T0
#0 0x555555a7f3ed in geos::geom::IntersectionMatrix::set(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/geos/lib_asan/src/geom/IntersectionMatrix.cpp:152:26
#1 0x55555593506d in GEOSRelatePatternMatch_r::$_11::operator()() const /home/geos/lib_asan/capi/geos_ts_c.cpp:646:32
#2 0x55555593506d in decltype(fp0) execute<GEOSRelatePatternMatch_r::$_11>(GEOSContextHandle_HS*, std::conditional<std::is_same<decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()()), bool>::value, char, decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()())>::type, GEOSRelatePatternMatch_r::$_11&&) /home/geos/lib_asan/capi/geos_ts_c.cpp:406:16
#3 0x555555934dc1 in GEOSRelatePatternMatch_r
#4 0x555555930744 in main
#5 0x7ffff7029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7ffff7029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#7 0x5555558704b4 in _start (BuildId: f2f0d6aa8fcc88fc49bab5d846274260243ce696)
Address 0x7fffffffdde4 is located in stack of thread T0 at offset 228 in frame
#0 0x555555934e7f in decltype(fp0) execute<GEOSRelatePatternMatch_r::$_11>(GEOSContextHandle_HS*, std::conditional<std::is_same<decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()()), bool>::value, char, decltype(std::declval<GEOSRelatePatternMatch_r::$_11>()())>::type, GEOSRelatePatternMatch_r::$_11&&) /home/geos/lib_asan/capi/geos_ts_c.cpp:395
This frame has 5 object(s):
[32, 64) 'm.i' (line 644)
[96, 97) 'ref.tmp.i' (line 644)
[112, 144) 'p.i' (line 645)
[176, 177) 'ref.tmp8.i' (line 645)
[192, 228) 'im.i' (line 646) <== Memory access at offset 228 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/geos/lib_asan/src/geom/IntersectionMatrix.cpp:152:26 in geos::geom::IntersectionMatrix::set(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
Shadow bytes around the buggy address:
0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ba0: f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 f8 f2 00 00
=>0x10007fff7bb0: 00 00 f2 f2 f2 f2 f8 f2 00 00 00 00[04]f3 f3 f3
0x10007fff7bc0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7bd0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
0x10007fff7be0: 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==920298==ABORTING
The triggering condition appears to be when the second argument to GEOSRelatePatternMatch_r (char * mat) has size larger than 9 (i.e., is not DE9IM-compliant). However, the crash does not occur when only the third argument (char * pat) exceeds 9 in size.
The text was updated successfully, but these errors were encountered:
dbaston
added a commit
to dbaston/libgeos
that referenced
this issue
Apr 30, 2024
The following program:
Results in the following stack buffer overflow:
The triggering condition appears to be when the second argument to
GEOSRelatePatternMatch_r
(char * mat
) has size larger than 9 (i.e., is not DE9IM-compliant). However, the crash does not occur when only the third argument (char * pat
) exceeds 9 in size.The text was updated successfully, but these errors were encountered: