search

mapbox / mapnik-vector-tile

Mapnik implemention of Mapbox Vector Tile specification
BSD 3-Clause "New" or "Revised" License
553 stars 117 forks source link

heap-use-after-free in ClipperLib::Clipper::FixupOutPolygon #198

Closed springmeyer closed 8 years ago

springmeyer commented 8 years ago

This is replicable by doing:

export CXX="/opt/llvm/bin/clang++"
export CFLAGS="-fsanitize=address"
export CXXFLAGS="-fsanitize=address"
export LDFLAGS="-fsanitize=address"
BUILDTYPE=Debug make test V=1
./build/Debug/vtile-fuzz
=================================================================
==49086==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000106f30 at pc 0x00010dae1ff0 bp 0x7fff52171730 sp 0x7fff52171728
READ of size 8 at 0x604000106f30 thread T0
    #0 0x10dae1fef in ClipperLib::Clipper::FixupOutPolygon(ClipperLib::OutRec&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100056fef)
    #1 0x10dad6ebf in ClipperLib::Clipper::ExecuteInternal() (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10004bebf)
    #2 0x10dad2473 in ClipperLib::Clipper::Execute(ClipperLib::ClipType, ClipperLib::PolyTree&, ClipperLib::PolyFillType, ClipperLib::PolyFillType) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100047473)
    #3 0x10da92345 in mapnik::vector_tile_impl::geometry_clipper<noop_process>::operator()(mapnik::geometry::polygon<long long, mapnik::geometry::rings_container>&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100007345)
    #4 0x10da8cb5c in main (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100001b5c)
    #5 0x7fff95b185ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #6 0x0  (<unknown module>)

0x604000106f30 is located 32 bytes inside of 40-byte region [0x604000106f10,0x604000106f38)
freed by thread T0 here:
    #0 0x10f56deab in wrap__ZdlPv (/opt/llvm/lib/clang/3.9.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x57eab)
    #1 0x10dab5759 in ClipperLib::DisposeOutPts(ClipperLib::OutPt*&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10002a759)
    #2 0x10dae20e6 in ClipperLib::Clipper::FixupOutPolygon(ClipperLib::OutRec&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x1000570e6)
    #3 0x10dad6ebf in ClipperLib::Clipper::ExecuteInternal() (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10004bebf)
    #4 0x10dad2473 in ClipperLib::Clipper::Execute(ClipperLib::ClipType, ClipperLib::PolyTree&, ClipperLib::PolyFillType, ClipperLib::PolyFillType) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100047473)
    #5 0x10da92345 in mapnik::vector_tile_impl::geometry_clipper<noop_process>::operator()(mapnik::geometry::polygon<long long, mapnik::geometry::rings_container>&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100007345)
    #6 0x10da8cb5c in main (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100001b5c)
    #7 0x7fff95b185ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #8 0x0  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x10f56d8eb in wrap__Znwm (/opt/llvm/lib/clang/3.9.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x578eb)
    #1 0x10daf425d in ClipperLib::Clipper::AddOutPt(ClipperLib::TEdge*, mapnik::geometry::point<long long> const&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10006925d)
    #2 0x10daf9acd in ClipperLib::Clipper::IntersectEdges(ClipperLib::TEdge*, ClipperLib::TEdge*, mapnik::geometry::point<long long>&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10006eacd)
    #3 0x10db09012 in ClipperLib::Clipper::ProcessIntersectList() (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10007e012)
    #4 0x10dadb8dc in ClipperLib::Clipper::ProcessIntersections(long long) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x1000508dc)
    #5 0x10dad63dc in ClipperLib::Clipper::ExecuteInternal() (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x10004b3dc)
    #6 0x10dad2473 in ClipperLib::Clipper::Execute(ClipperLib::ClipType, ClipperLib::PolyTree&, ClipperLib::PolyFillType, ClipperLib::PolyFillType) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100047473)
    #7 0x10da92345 in mapnik::vector_tile_impl::geometry_clipper<noop_process>::operator()(mapnik::geometry::polygon<long long, mapnik::geometry::rings_container>&) (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100007345)
    #8 0x10da8cb5c in main (/Users/dane/projects/mapnik-vector-tile/./build/Debug/vtile-fuzz+0x100001b5c)
    #9 0x7fff95b185ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #10 0x0  (<unknown module>)
springmeyer commented 8 years ago

solved by @flippmoke in https://github.com/mapbox/mapnik-vector-tile/commit/bf7a45b28d4a2883551570142b00d35b13792a73 / https://github.com/mapnik/clipper/commit/381c817fd13e819e90006ed1f3c26ea6f1e6e343