Description
Hi Tippecanoe Developers,
First of all, thank you for your great work on tippecanoe — it’s a very useful tool for vector tile generation.
I would like to report two double free vulnerability I encountered while testing the latest version of tippecanoe. It appears that tippecanoe may crash with a double free when given malformed input.
For the first one, here is the gdb debugging detail:
###################################################################
(gdb) run
Starting program: /********/tippecanoe/tippecanoe -o out.mbtiles --force doublefree
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
@@GetShareKey -> 0xC3B3C5D0
For layer 0, using name "doublefree"
doublefree:1: Decimal point without digits: in JSON object {"type":"Feature","tippecanoe":{"layer":"sfzips","minzoom":11,"maxzoom":11},"properties":{"bin-ids":"236,237,510,514","ZCTA5CE10":"94129","GEOID10":"94129","CLASSFP10":"B5","MTFCC10":"G6350","FUNCSTAT10":"S","ALAND10":5968455,"AWATER10":14697,"INTPTLAT10":"+37.7973402","INTPTLON10":"-122.4644664"},"geometry":{"type":"MultiPolygon","coordinates":[[[[-122.46666,37.805851],[-122.46357,37.804901],[-122.461681,37.804901],[-122.45842,37.805444],[]]]]}}
free(): double free detected in tcache 2
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff70ec7f1 in __GI_abort () at abort.c:79
#2 0x00007ffff7135837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7262a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff713c8ba in malloc_printerr (str=str@entry=0x7ffff72646e8 "free(): double free detected in tcache 2") at malloc.c:5342
#4 0x00007ffff71440ed in _int_free (have_lock=0, p=0xad8700, av=0x7ffff7497c40 <main_arena>) at malloc.c:4195
#5 __GI___libc_free (mem=0xad8710) at malloc.c:3134
#6 0x000000000040fd0e in json_end ()
#7 0x00000000004d7c71 in read_input(std::vector<source, std::allocator
#8 0x00000000004e92b2 in main ()
##################################################################################################
For the second one:
##################################################################################################
(gdb) run
Starting program: /**************************/tippecanoe/tippecanoe -o out.mbtiles --force doublefree1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
@@GetShareKey -> 0xC3B3C5D0
For layer 0, using name "doublefree1"
[New Thread 0x7fffcce82700 (LWP 6538)]
doublefree1:1: Found misspelling of false:
[New Thread 0x7fffcc681700 (LWP 6539)]
[Thread 0x7fffcce82700 (LWP 6538) exited]
[New Thread 0x7fffcbe80700 (LWP 6540)]
[Thread 0x7fffcc681700 (LWP 6539) exited]
[New Thread 0x7fffcb67f700 (LWP 6541)]
[Thread 0x7fffcbe80700 (LWP 6540) exited]
[Thread 0x7fffcb67f700 (LWP 6541) exited]
[New Thread 0x7fffcae7e700 (LWP 6542)]
[Thread 0x7fffcae7e700 (LWP 6542) exited]
[New Thread 0x7fffca67d700 (LWP 6543)]
[New Thread 0x7fffc9e7c700 (LWP 6544)]
[Thread 0x7fffca67d700 (LWP 6543) exited]
[New Thread 0x7fffc967b700 (LWP 6545)]
[Thread 0x7fffc9e7c700 (LWP 6544) exited]
[New Thread 0x7fffc8e7a700 (LWP 6546)]
[Thread 0x7fffc967b700 (LWP 6545) exited]
[New Thread 0x7fffc8679700 (LWP 6547)]
[Thread 0x7fffc8e7a700 (LWP 6546) exited]
[Thread 0x7fffc8679700 (LWP 6547) exited]
[New Thread 0x7fffc7e78700 (LWP 6548)]
[Thread 0x7fffc7e78700 (LWP 6548) exited]
[New Thread 0x7fffc7677700 (LWP 6549)]
[New Thread 0x7fffc6e76700 (LWP 6550)]
[Thread 0x7fffc7677700 (LWP 6549) exited]
[New Thread 0x7fffc6675700 (LWP 6551)]
[Thread 0x7fffc6e76700 (LWP 6550) exited]
[New Thread 0x7fffc5e74700 (LWP 6552)]
[Thread 0x7fffc6675700 (LWP 6551) exited]
[Thread 0x7fffc5e74700 (LWP 6552) exited]
[New Thread 0x7fffc5673700 (LWP 6553)]
doublefree1:1: Exponent without digits:
[Thread 0x7fffc5673700 (LWP 6553) exited]
double free or corruption (!prev)
Thread 1 "tippecanoe" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff70ec7f1 in __GI_abort () at abort.c:79
#2 0x00007ffff7135837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7262a7b "%s\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff713c8ba in malloc_printerr (str=str@entry=0x7ffff72647a8 "double free or corruption (!prev)") at malloc.c:5342
#4 0x00007ffff7143e5c in _int_free (have_lock=0, p=0xaff180, av=0x7ffff7497c40 <main_arena>) at malloc.c:4311
#5 __GI___libc_free (mem=0xaff190) at malloc.c:3134
#6 0x000000000040fd0e in json_end ()
#7 0x00000000004cc60f in do_read_p
6460
arallel(char*, long long, long long, char const*, std::vector<reader, std::allocator >, std::atomic, std::set<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > >, std::set<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > >, int, int, int, std::vector<std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, layermap_entry, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, layermap_entry> > >, std::allocator<std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, layermap_entry, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, layermap_entry> > > > >, int, unsigned int*, unsigned int*, int, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, bool, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, int, std::hash<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, int> > > const*, int, double*, unsigned long*, double*, bool, bool) ()
#8 0x00000000004d789e in read_input(std::vector<source, std::allocator
#9 0x00000000004e92b2 in main ()
#############################################################################################################