Bug report or patch? #136
Comments
|
This email was not received. Please try again |
|
I sent the email to both qhull_bug@qhull.org and qhull@qhull.org again. |
|
Did the email arrive? |
|
The email, "Use After Free" was classified as junk. Please resend. It should go through.
…--Brad
At 05:54 AM 11/04/2023, �� wrote:
Did the email arrive?
Reply to this email directly, <#136 (comment)>view it on GitHub, or <https://github.com/notifications/unsubscribe-auth/ADDZ7RZPYB57IU2CUY7ABMLYCYNHFAVCNFSM6AAAAAA6WIQEMWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJTGQYTCMRSGM>unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--=====================_522399843==.ALT
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
<html>
<body>
<font size=3>The email, "Use After Free" was classified as
junk. Please resend. It should go through.<br><br>
<x-tab> </x-tab><x-tab>
</x-tab><x-tab>
</x-tab>--Brad<br><br>
<br>
At 05:54 AM 11/04/2023, �� wrote:<br><br>
<blockquote type=cite class=cite cite="">Did the email arrive?<br><br>
<br>
Reply to this email directly,
<a href="#136 (comment)">
view it on GitHub</a>, or
<a href="https://github.com/notifications/unsubscribe-auth/ADDZ7RZPYB57IU2CUY7ABMLYCYNHFAVCNFSM6AAAAAA6WIQEMWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJTGQYTCMRSGM">
unsubscribe</a>.<br>
You are receiving this because you were mentioned.Message ID:
***@***.***></font></blockquote>
</body>
</html>
--=====================_522399843==.ALT--
|
|
I sent the email again!:) |
|
Good catch. Many thanks for reporting the problem and your good bug report. It needs to be fixed, but should not cause problems for most Qhull users. The loop in qh_triangulate calls qh_delfacet, It does not allocate facets or other memory structures. For most users, qh_delfacet adds the facet's memory to qhmem.freelists via mem_r.cpp ("short memory"). The facet's memory is not released, instead it is reused later for other facets. I'll fix the problem later this month. Your email |
|
@cbbarber Thank you for looking our report!:) we would appreciate it if you could confirm this bug when you have enough time |
|
qh_freebuild is only called from qh_freeqhull which frees all memory and zero-outs qhmemT. Is your code calling qh_freebuild from elsewhere? If so, it is likely a mistake. In any case your email needs further review, best done when I fix this problem. |
|
As I understood, qh_build_withrestart calls qh_freebuild and then qh_initbuild, so it is likely to be used after qh_freebuild. but the facet_next would not be referenced after free in most cases, because qh_initbuild reinitializes the qh with new facet list (but in our log, it accessed at final logging). I think it's a bug more about the correctness. As a security researcher, we need your confirmation of the bug, although it is negligible because UAF is only occurs during logging, so could I politely ask you for the confirmation when you have enough time to review this bug? Thank you for taking your time for our bug reports:) |
|
Your analysis is good. I need to check if similar problems occur elsewhere. Expect a fix after I review the open issues and requests. qh_build_withrestart in libqhull_r.c is used with option 'QJ' for joggled input. Merged facets (the default) usually produce a more accurate convex hull when the input contains geometric degeneracies (e.g., nearly coplanar facets). Joggled input avoids merging altogether allowing a simpler implementation. qh_build_withrestart calls qh_freebuild at each restart. qh_freebuild clears the facet lists after deleting the sentinel facet. |
Dear @cbbarber, I found a vulnerability from qhull and reported it to qhull_bug@qhull.org, but this project seems not actively in maintenance.
So do you want me to patch the bug and open a Pull Request? or could you check the bug report in the email?
Thank you.
The text was updated successfully, but these errors were encountered: