[Bug 1915417] [NEW] Hdp for hdf4-tools division by zero

Andrey Fedotov Thu, 11 Feb 2021 07:20:45 -0800

Public bug reported:

Hello,
Below is some description about crash, found by dynamic analysis tool Sydr 
(part of Crusher system) https://www.ispras.ru/en/technologies/sydr/ developed 
in ISP RAS.


Division by zero:
(gdb) r
Starting program: 
/home/fedotoff/hdp-test/hdp-crash/libhdf4-4.2.14/install/bin/hdp dumpsds 
./segfault37.hdf

Program received signal SIGFPE, Arithmetic exception.
0x00000000004ba4d8 in VSread (vkey=1073741846, buf=0x7ffbf7be4010 "", 
nelt=2147483647, interlace=0) at vrw.c:276
276                     chunk = buf_size / hsize + 1;
(gdb) bt
#0  0x00000000004ba4d8 in VSread (vkey=1073741846, buf=0x7ffbf7be4010 "", 
nelt=2147483647, interlace=0) at vrw.c:276
#1  0x0000000000420186 in hdf_read_attrs (xdrs=0x5193a0, handle=0x518330, 
vg=805306379) at cdf.c:2252
#2  0x0000000000420c34 in hdf_read_vars (xdrs=0x5193a0, handle=0x518330, 
vg=805306368) at cdf.c:2669
#3  0x00000000004211c8 in hdf_read_xdr_cdf (xdrs=0x5193a0, 
handlep=0x7fffffffd400) at cdf.c:2899
#4  0x000000000041d8e9 in hdf_xdr_cdf (xdrs=0x5193a0, handlep=0x7fffffffd400) 
at cdf.c:2973
#5  0x000000000041d3c3 in xdr_cdf (xdrs=0x5193a0, handlep=0x7fffffffd400) at 
cdf.c:664
#6  0x000000000041d299 in NC_new_cdf (name=0x7fffffffd5a0 "./segfault37.hdf", 
mode=0) at cdf.c:484
#7  0x00000000004233d6 in NC_open (path=0x7fffffffd5a0 "./segfault37.hdf", 
mode=0) at file.c:307
#8  0x000000000042353e in ncopen (path=0x7fffffffd5a0 "./segfault37.hdf", 
mode=0) at file.c:362
#9  0x0000000000429b00 in SDstart (name=0x7fffffffd5a0 "./segfault37.hdf", 
HDFmode=1) at mfsd.c:378
#10 0x0000000000410cc7 in dsd (dumpsds_opts=0x7fffffffd700, curr_arg=3, argc=3, 
argv=0x7fffffffdb08) at hdp_sds.c:1218
#11 0x00000000004116d7 in do_dumpsds (curr_arg=2, argc=3, argv=0x7fffffffdb08, 
help=0) at hdp_sds.c:1454
#12 0x0000000000402950 in main (argc=3, argv=0x7fffffffdb08) at hdp.c:146
(gdb) list
271
272                     /* we are bounded above by VDATA_BUFFER_MAX */
273                     buf_size = MIN(total_bytes, VDATA_BUFFER_MAX);
274
275                     /* make sure there is at least room for one record in 
our buffer */
276                     chunk = buf_size / hsize + 1;
277
278                     /* get a buffer big enough to hold the values */
279                     Vtbufsize = (size_t)chunk * (size_t)hsize;
280                     if (Vtbuf)
(gdb) p/x hsize
$1 = 0x0

Suggestion for fix: check hsize if it is zero, and set chunk = 1;

** Affects: libhdf4 (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "input to reproduce"
   
https://bugs.launchpad.net/bugs/1915417/+attachment/5462712/+files/segfault37.hdf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915417

Title:
  Hdp for hdf4-tools division by zero

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libhdf4/+bug/1915417/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915417] [NEW] Hdp for hdf4-tools division by zero

Reply via email to