Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] lib/arraystats: heap buffer overflow in disabled 'Discont' algorithm #5486

Open
nilason opened this issue Apr 1, 2025 · 0 comments · May be fixed by #5529
Open

[Bug] lib/arraystats: heap buffer overflow in disabled 'Discont' algorithm #5486

nilason opened this issue Apr 1, 2025 · 0 comments · May be fixed by #5529
Labels
bug Something isn't working
Milestone
8.5.0

Comments

@nilason
Copy link
Contributor

nilason commented Apr 1, 2025
edited
Loading

Describe the bug

Shortly after introduction of GRASS arraystats library, a bug was discovered for the "Discont" algorithm, see ML, which was then disabled ac3098c.

Debugging this revealed a heap buffer overflow in line:

grass/lib/arraystats/class.c

Line 412 in bbb23c9

num[jj] = num[jj - 1];

The value of the variables at the AddressSanitizer breakpoint after running the equivalent to
v.class map=boundary_municp column=POP_APR_20 algo=dis nbclasses=5was:

tmp   (int)  0
j     (int)  1
i     (int)  5
jj    (int)  6
nff   (int)  7
num   (int*) 0x603000004a50
*num  (int)  -1094795586
nmax  (int)  3412

Note the size of num is 5 + 1:

grass/lib/arraystats/class.c

Line 299 in bbb23c9

num = G_malloc((nbclass + 1) * sizeof(int));

which obviously fails setting num[6] (num[5] is max).

I'm not familiar with the algorithm to present a fix for this.

@mlennert Perhaps you can revisit this now?
@nilason nilason added the bug Something isn't working label Apr 1, 2025
@nilason nilason added this to the 8.5.0 milestone Apr 1, 2025
nilason added a commit to nilason/grass that referenced this issue Apr 11, 2025
@nilason
lib/arraystats: re-enable "Discont" algorithm
7f40cbd 
Addresses heap buffer overflow in previously disabled 'Discont'
algorithm.

The immediate cause was too small allocation of variable `num` in
`AS_class_discont()`, which was fixed by an increase it's size (broadly
mirroring the original Fortran code).

This fix was complemented by some code related improvements:

- Code clean up and restructure of `AS_class_discont()`
- Re-enable "dis" algorithm in v.class and d.vect.thematic
- Pass `classbreaks` array by pointer to pointer to enable in- and
  output.

See: https://lists.osgeo.org/pipermail/grass-dev/2008-July/038951.html

Fixes: OSGeo#5486
nilason added a commit to nilason/grass that referenced this issue Apr 11, 2025
@nilason
lib/arraystats: re-enable "Discont" algorithm
9fc5dc3 
Addresses heap buffer overflow in previously disabled 'Discont'
algorithm.

The immediate cause was too small allocation of variable `num` in
`AS_class_discont()`, which was fixed by an increase of it's size
(broadly mirroring the original Fortran code).

This fix was complemented by some code related improvements:

- Code clean up and restructure of `AS_class_discont()`
- Re-enable "dis" algorithm in v.class and d.vect.thematic
- Pass `classbreaks` array by pointer to pointer to enable in- and
  output.

See: https://lists.osgeo.org/pipermail/grass-dev/2008-July/038951.html

Fixes: OSGeo#5486
@nilason nilason linked a pull request Apr 11, 2025 that will close this issue
Open
nilason added a commit to nilason/grass that referenced this issue Apr 12, 2025
@nilason
lib/arraystats: re-enable "Discont" algorithm
eadb813 
Addresses heap buffer overflow in previously disabled 'Discont'
algorithm.

The immediate cause was too small allocation of variable `num` in
`AS_class_discont()`, which was fixed by an increase of it's size
(broadly mirroring the original Fortran code).

This fix was complemented by some code related improvements:

- Code clean up and restructure of `AS_class_discont()`
- Re-enable "dis" algorithm in v.class and d.vect.thematic
- Pass `classbreaks` array by pointer to pointer to enable in- and
  output.

See: https://lists.osgeo.org/pipermail/grass-dev/2008-July/038951.html

Fixes: OSGeo#5486
nilason added a commit to nilason/grass that referenced this issue Apr 13, 2025
@nilason
lib/arraystats: re-enable "Discont" algorithm
5cb06bd 
Addresses heap buffer overflow in previously disabled 'Discont'
algorithm.

The immediate cause was too small allocation of variable `num` in
`AS_class_discont()`, which was fixed by an increase of its size
(broadly mirroring the original Fortran code).

This fix was complemented by some code related improvements:

- Code clean up and restructure of `AS_class_discont()`
- Re-enable "dis" algorithm in v.class and d.vect.thematic
- Pass `classbreaks` array by pointer to pointer to enable in- and
  output.

See: https://lists.osgeo.org/pipermail/grass-dev/2008-July/038951.html

Fixes: OSGeo#5486
nilason added a commit to nilason/grass that referenced this issue Apr 13, 2025
@nilason
lib/arraystats: re-enable "Discont" algorithm
7d42ec3 
Addresses heap buffer overflow in previously disabled 'Discont'
algorithm.

The immediate cause was too small allocation of variable `num` in
`AS_class_discont()`, which was fixed by an increase of its size
(broadly mirroring the original Fortran code).

This fix was complemented by some code related improvements:

- Code clean up and restructure of `AS_class_discont()`
- Re-enable "dis" algorithm in v.class and d.vect.thematic
- Pass `classbreaks` array by pointer to pointer to enable in- and
  output.

See: https://lists.osgeo.org/pipermail/grass-dev/2008-July/038951.html

Fixes: OSGeo#5486
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
8.5.0
Development

Successfully merging a pull request may close this issue.

lib/arraystats: re-enable "Discont" algorithm nilason/grass
1 participant
@nilason