OSGeo GDAL HDF-EOS Library Out-of-Bounds Read Vulnerability in GDfieldinfo Function

A vulnerability allowing for an out-of-bounds read has been identified in OSGeo GDAL versions through 3.13.0dev-4. The issue arises in the HDF4-EOS handling, specifically within the GDfieldinfo function of the GDapi.c file. The vulnerability is triggered by a size_t underflow when the function processes the DimList metadata, leading to a read operation that exceeds the allocated buffer. This flaw can be exploited locally, causing a segmentation fault and a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to a segmentation fault and a denial-of-service condition.

Reproduction

The vulnerability can be reproduced using the 'gdalmdiminfo' command-line tool with a crafted HDF-EOS grid file that exploits the DimList parsing. The file 'poc_gdfinfo_dimlist_oob-read.he4' serves as a proof of concept, demonstrating the out-of-bounds read by causing the application to crash.

Remediation

Users are advised to upgrade to GDAL version 3.13.0RC1, where this vulnerability has been fixed.