Ubuntu
libhdf4 package

Hdp from hdf4-tools division by zero

Bug #1915417 reported by Andrey Fedotov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libhdf4 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hello,
Below is some description about crash, found by dynamic analysis tool Sydr (part of Crusher system) https://www.ispras.ru/en/technologies/sydr/ developed in ISP RAS.

System Ubuntu 20.04.2 LTS.
Package: libhdf4_4.2.14-1ubuntu1.debian.tar.xz

Division by zero:
(gdb) r
Starting program: /home/fedotoff/hdp-test/hdp-crash/libhdf4-4.2.14/install/bin/hdp dumpsds ./segfault37.hdf

Program received signal SIGFPE, Arithmetic exception.
0x00000000004ba4d8 in VSread (vkey=1073741846, buf=0x7ffbf7be4010 "", nelt=2147483647, interlace=0) at vrw.c:276
276 chunk = buf_size / hsize + 1;
(gdb) bt
#0 0x00000000004ba4d8 in VSread (vkey=1073741846, buf=0x7ffbf7be4010 "", nelt=2147483647, interlace=0) at vrw.c:276
#1 0x0000000000420186 in hdf_read_attrs (xdrs=0x5193a0, handle=0x518330, vg=805306379) at cdf.c:2252
#2 0x0000000000420c34 in hdf_read_vars (xdrs=0x5193a0, handle=0x518330, vg=805306368) at cdf.c:2669
#3 0x00000000004211c8 in hdf_read_xdr_cdf (xdrs=0x5193a0, handlep=0x7fffffffd400) at cdf.c:2899
#4 0x000000000041d8e9 in hdf_xdr_cdf (xdrs=0x5193a0, handlep=0x7fffffffd400) at cdf.c:2973
#5 0x000000000041d3c3 in xdr_cdf (xdrs=0x5193a0, handlep=0x7fffffffd400) at cdf.c:664
#6 0x000000000041d299 in NC_new_cdf (name=0x7fffffffd5a0 "./segfault37.hdf", mode=0) at cdf.c:484
#7 0x00000000004233d6 in NC_open (path=0x7fffffffd5a0 "./segfault37.hdf", mode=0) at file.c:307
#8 0x000000000042353e in ncopen (path=0x7fffffffd5a0 "./segfault37.hdf", mode=0) at file.c:362
#9 0x0000000000429b00 in SDstart (name=0x7fffffffd5a0 "./segfault37.hdf", HDFmode=1) at mfsd.c:378
#10 0x0000000000410cc7 in dsd (dumpsds_opts=0x7fffffffd700, curr_arg=3, argc=3, argv=0x7fffffffdb08) at hdp_sds.c:1218
#11 0x00000000004116d7 in do_dumpsds (curr_arg=2, argc=3, argv=0x7fffffffdb08, help=0) at hdp_sds.c:1454
#12 0x0000000000402950 in main (argc=3, argv=0x7fffffffdb08) at hdp.c:146
(gdb) list
271
272 /* we are bounded above by VDATA_BUFFER_MAX */
273 buf_size = MIN(total_bytes, VDATA_BUFFER_MAX);
274
275 /* make sure there is at least room for one record in our buffer */
276 chunk = buf_size / hsize + 1;
277
278 /* get a buffer big enough to hold the values */
279 Vtbufsize = (size_t)chunk * (size_t)hsize;
280 if (Vtbuf)
(gdb) p/x hsize
$1 = 0x0

Suggestion for fix: check hsize if it is zero, and set chunk = 1;

See original description
Revision history for this message
Andrey Fedotov (fedotoff) wrote :
Andrey Fedotov (fedotoff)
description: updated
summary: - Hdp for hdf4-tools division by zero
+ Hdp from hdf4-tools division by zero
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.