OSGeo GDAL Heap-Based Buffer Overflow Vulnerability in HDF4-EOS Grid File Handler

A heap-based buffer overflow vulnerability has been identified in OSGeo GDAL versions through 3.13.0dev-4. The issue resides in the Grid File Handler component, specifically within the GDSDfldsrch function of the GDapi.c file. The vulnerability is triggered by an unchecked string manipulation operation that strips quotes from a metadata-derived string. When the FieldList metadata value is empty, this operation causes a size_t underflow, leading to an out-of-bounds read and a subsequent heap-buffer overflow. This vulnerability must be approached locally, and the exploit has been disclosed publicly.

Impact

Exploitation of this vulnerability causes a stack-buffer overflow, where the memmove function reads an excessive amount of data from the stack, bypassing memory safety and potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced using the 'gdalmdiminfo' command-line tool with a crafted HDF-EOS grid file that exploits the quote-stripping operation in the GDSDfldsrch function. The AddressSanitizer (ASan) will report an out-of-bounds read error, indicating that the vulnerability has been successfully triggered.

Remediation

Upgrading to OSGeo GDAL version 3.13.0RC1 addresses this vulnerability.