CVE-2018-20539: Segmentation fault triggered by illegal address access at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:515)

[carnil]

The following issue was reported downstream in the Red Hat Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1652609

(A CVE was apparently assigned and got CVE-2018-20539)

[manisandro]

Proposed patch:

diff -rupN --no-dereference libLAS-d76a061f33a69a36ab116cd939c5d444b301efd8/src/spatialreference.cpp libLAS-d76a061f33a69a36ab116cd939c5d444b301efd8-new/src/spatialreference.cpp
--- libLAS-d76a061f33a69a36ab116cd939c5d444b301efd8/src/spatialreference.cpp	2020-04-05 18:40:29.000000000 +0200
+++ libLAS-d76a061f33a69a36ab116cd939c5d444b301efd8-new/src/spatialreference.cpp	2020-04-14 20:10:51.189663648 +0200
@@ -510,12 +510,15 @@ const GTIF* SpatialReference::GetGTIF()
#pragma pack(pop)

            ShortKeyHeader *header = (ShortKeyHeader *)data.data();
-            // Calculate the number of shorts in the VLR data.
-            // The '+ 1' accounts for the header itself.
-            int count = (header->numKeys + 1) * 4;
-            short *data_s = reinterpret_cast<short *>( &(data[0]));
+            if (header)
+            {
+                // Calculate the number of shorts in the VLR data.
+                // The '+ 1' accounts for the header itself.
+                int count = (header->numKeys + 1) * 4;
+                short *data_s = reinterpret_cast<short *>( &(data[0]));

-            ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+                ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+            }
        }

        if (uid == record.GetUserId(true).c_str() &&

[mloskot]

@manisandro Please, submit PR