heap-buffer-overflow in cgi_read_ptset

Description

When compiling the CGNS 3.4.0 library with enabled address sanitizers of gcc 8.3.0 a heap-buffer-overflow is detected in cgi_read_ptset when our application tries to open a CGNS file. The utilized CMAKE_C_FLAGS_DEBUG are "-ggdb -fno-common -O0 -fsanitize=address -fsanitize-recover=address". If you are not already doing this, I would STRONGLY recommend to always use sanitizers for your test runs.

Here is the corresponding sanitizer output:

=================================================================
==16462==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200004ad5c at pc 0x7fc7b3e73406 bp 0x7ffd84638420 sp 0x7ffd84638418
READ of size 4 at 0x60200004ad5c thread T0
#0 0x7fc7b3e73405 in cgi_read_ptset /home/geis_go/tmp/CGNS/src/cgns_internals.c:3156
#1 0x7fc7b3e627de in cgi_read_conn /home/geis_go/tmp/CGNS/src/cgns_internals.c:1968
#2 0x7fc7b3e5e9fd in cgi_read_zconn /home/geis_go/tmp/CGNS/src/cgns_internals.c:1609
#3 0x7fc7b3e4ca9d in cgi_read_zone /home/geis_go/tmp/CGNS/src/cgns_internals.c:397
#4 0x7fc7b3e4a9d4 in cgi_read_base /home/geis_go/tmp/CGNS/src/cgns_internals.c:235
#5 0x7fc7b3e490c6 in cgi_read /home/geis_go/tmp/CGNS/src/cgns_internals.c:100
#6 0x7fc7b3f10c12 in cg_open /home/geis_go/tmp/CGNS/src/cgnslib.c:466
#7 0x470b2f in cg_openWait IO/cgns3D.c:500
#8 0x481661 in openCGNSFileReadOnly IO/cgnsAux.c:73
#9 0x41a403 in setupTraceCntlForPrep MAIN/prepEnv.c:2470
#10 0x40eced in main MAIN/prepMain.c:116
#11 0x7fc7b173eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#12 0x40eb38 (/home/geis_go/work/trace_suite_clean/prep/PREPdebug+0x40eb38)

0x60200004ad5c is located 0 bytes to the right of 12-byte region [0x60200004ad50,0x60200004ad5c)
allocated by thread T0 here:
#0 0x7fc7b4338da8 in __interceptor_calloc (/opt/gcc-8.3.0/lib64/libasan.so+0xe8da8)
#1 0x7fc7b3e48b95 in cgi_malloc /home/geis_go/tmp/CGNS/src/cgns_internals.c:64
#2 0x7fc7b3e7323f in cgi_read_ptset /home/geis_go/tmp/CGNS/src/cgns_internals.c:3150
#3 0x7fc7b3e627de in cgi_read_conn /home/geis_go/tmp/CGNS/src/cgns_internals.c:1968
#4 0x7fc7b3e5e9fd in cgi_read_zconn /home/geis_go/tmp/CGNS/src/cgns_internals.c:1609
#5 0x7fc7b3e4ca9d in cgi_read_zone /home/geis_go/tmp/CGNS/src/cgns_internals.c:397
#6 0x7fc7b3e4a9d4 in cgi_read_base /home/geis_go/tmp/CGNS/src/cgns_internals.c:235
#7 0x7fc7b3e490c6 in cgi_read /home/geis_go/tmp/CGNS/src/cgns_internals.c:100
#8 0x7fc7b3f10c12 in cg_open /home/geis_go/tmp/CGNS/src/cgnslib.c:466
#9 0x470b2f in cg_openWait IO/cgns3D.c:500
#10 0x481661 in openCGNSFileReadOnly IO/cgnsAux.c:73
#11 0x41a403 in setupTraceCntlForPrep MAIN/prepEnv.c:2470
#12 0x40eced in main MAIN/prepMain.c:116
#13 0x7fc7b173eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/geis_go/tmp/CGNS/src/cgns_internals.c:3156 in cgi_read_ptset
Shadow bytes around the buggy address:
0x0c0480001550: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001560: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001570: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480001580: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480001590: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c04800015a0: fa fa fd fa fa fa fd fd fa fa 00[04]fa fa fa fa
0x0c04800015b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800015c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800015d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800015e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800015f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

Environment

None

Status

Assignee

Unassigned

Reporter

Anonymous

Labels

None

Components

Fix versions

Affects versions

3.4.0

Priority

Critical
Configure