[geos-devel] [GEOS] #845: Head Use-After-Free geos::geomgraph::index::SweepLineEvent::isDelete()

GEOS geos-trac at osgeo.org
Fri Nov 17 15:05:14 PST 2017 

#845: Head Use-After-Free geos::geomgraph::index::SweepLineEvent::isDelete()
------------------------+--------------------------
 Reporter:  goatbar     |      Owner:  geos-devel@…
     Type:  defect      |     Status:  new
 Priority:  major       |  Milestone:  3.6.3
Component:  Default     |    Version:  master
 Severity:  Unassigned  |   Keywords:
------------------------+--------------------------
 Related to #835, I setup a fuzzers for geos and indirectly for geos from
 fuzzers on GDAL.  I've hit this same bug via WKT, WKB, and GML.

 I'll go with the WKT version.  This is the fuzzer I'm using with GEOS and
 GDAL pretty much both at head.

 https://github.com/schwehr/gdal-
 autotest2/blob/master/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc

 The crazy fuzzer proof of concept WKT:

 {{{
 CIRCULARSTRING(.        --.,-KAN-NpolygonJ-p--2         5.--0
            -2,      8 ..LI.        -1.--.,-NAN---Np--2
              5.,-    ---,0 -1                 ,.
              --      --)R
 }}}

 Calling GDAL's OGRGeometry dumpReadable, I get:

 {{{
 CIRCULARSTRING Z (0 0 0,0 5 -2,8 0 -1,nan 5.0 0,0 0 0,0 -1 0,0 0 0)
 }}}

 {{{
 AddressSanitizer: heap-use-after-free
 READ of size 8
     #0 geos::geomgraph::index::SweepLineEvent::isDelete()
 include/geos/geomgraph/index/SweepLineEvent.h:56:27
     #1
 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector()
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:12
     #2
 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector()
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:38:1
     #3
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, bool, geos::geom::Envelope const*)
 src/geomgraph/GeometryGraph.cpp:401:1
     #4
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
     #5
 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry
 const*) src/operation/IsSimpleOp.cpp:174:46
     #6 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
     #7 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
     #8 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
     #9 LLVMFuzzerTestOneInput
 gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9

 located 40 bytes inside of 56-byte region
 freed here:
     #0 operator delete(void*, unsigned long) llvm/llvm/projects/compiler-
 rt/lib/asan/asan_new_delete.cc:153:3
     #1 geos::geomgraph::index::SweepLineEvent::~SweepLineEvent()
 src/geomgraph/index/SweepLineEvent.cpp:41:3
     #2 geos::geomgraph::index::SweepLineEvent::~SweepLineEvent()
 src/geomgraph/index/SweepLineEvent.cpp:39:34
     #3
 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector()
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:42:24
     #4
 geos::geomgraph::index::SimpleMCSweepLineIntersector::~SimpleMCSweepLineIntersector()
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:38:1
     #5
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, bool, geos::geom::Envelope const*)
 src/geomgraph/GeometryGraph.cpp:401:1
     #6
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
     #7
 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry
 const*) src/operation/IsSimpleOp.cpp:174:46
     #8 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
     #9 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
     #10 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
     #11 LLVMFuzzerTestOneInput
 gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9

 previously allocated here:
     #0 operator new(unsigned long) llvm/llvm/projects/compiler-
 rt/lib/asan/asan_new_delete.cc:92:3
     #1
 geos::geomgraph::index::SimpleMCSweepLineIntersector::add(geos::geomgraph::Edge*,
 void*) src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:99:31
     #2
 geos::geomgraph::index::SimpleMCSweepLineIntersector::add(std::vector<geos::geomgraph::Edge*,
 std::allocator<geos::geomgraph::Edge*> >*, void*)
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:84:3
     #3
 geos::geomgraph::index::SimpleMCSweepLineIntersector::computeIntersections(std::vector<geos::geomgraph::Edge*,
 std::allocator<geos::geomgraph::Edge*> >*,
 geos::geomgraph::index::SegmentIntersector*, bool)
 src/geomgraph/index/SimpleMCSweepLineIntersector.cpp:52:3
     #4
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, bool, geos::geom::Envelope const*)
 src/geomgraph/GeometryGraph.cpp:393:7
     #5
 geos::geomgraph::GeometryGraph::computeSelfNodes(geos::algorithm::LineIntersector&,
 bool, geos::geom::Envelope const*) src/geomgraph/GeometryGraph.cpp:366:9
     #6
 geos::operation::IsSimpleOp::isSimpleLinearGeometry(geos::geom::Geometry
 const*) src/operation/IsSimpleOp.cpp:174:46
     #7 geos::geom::Geometry::isSimple() const src/geom/Geometry.cpp:866:12
     #8 GEOSisRing_r capi/geos_ts_c.cpp:1756:25
     #9 OGRGeometry::IsRing() const gdal/ogr/ogrgeometry.cpp:2262:19
     #10 LLVMFuzzerTestOneInput
 gdal/autotest2/cpp/ogr/ogrgeometryfactory_wkt_fuzzer.cc:51:9
 }}}

--
Ticket URL: <https://trac.osgeo.org/geos/ticket/845>
GEOS <http://trac.osgeo.org/geos>
GEOS (Geometry Engine - Open Source) is a C++ port of the Java Topology Suite (JTS).

More information about the geos-devel mailing list