Ticket #57 (closed defect: fixed)

Opened 22 months ago

Last modified 21 months ago

Stack corruption in las2las

Reported by: mloskot Owned by: hobu
Priority: critical Milestone:
Component: Utilities Version: svn-trunk
Keywords: las2las Cc:
LAS Format Version: Not Applicable

Description

I've experienced stack corruption in the las2las.c program around variable surviving_number_of_points_by_return.

In file las2las.c:354 following line does unsafe calculation of index: 

surviving_number_of_points_by_return[LASPoint_GetReturnNumber(p)-1]++;

When LASPoint_GetReturnNumber(p) returns 0 then index evaluates to -1, equivalent of *(ptr - 1). Now, if surviving_number_of_points_by_return points to first element, then index -1 is out of range and applied operator ++ causes the memory corruption.

Change History

Changed 21 months ago by hobu

Fixed in r782

Changed 21 months ago by hobu

  • status changed from new to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.