SEGV crash within Document::InsertColumn function

[pvz122]

Description:

Hi, I encountered a SEGV crash when invoking Document::InsertColumn function to insert a column into a CSV document. The crash occurs during the itRow->insert() invocation (line 844), where itRow vector has a length of 1, while the insert index dataColumnIdx has a value of 2, causing an out-of-bound write access. The related source code is shown below:

rapidcsv/src/rapidcsv.h

Lines 839 to 846 in 083851d

	for (auto itRow = mData.begin(); itRow != mData.end(); ++itRow)
	{
	if (std::distance(mData.begin(), itRow) >= mLabelParams.mColumnNameIdx)
	{
	const size_t rowIdx = static_cast<size_t>(std::distance(mData.begin(), itRow));
	itRow->insert(itRow->begin() + static_cast<int>(dataColumnIdx), column.at(rowIdx));
	}
	}

The ASan report is:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==687954==ERROR: AddressSanitizer: SEGV on unknown address 0x506000040000 (pc 0x74ada89688df bp 0x7ffc67570680 sp 0x7ffc67570608 T0)
==687954==The signal is caused by a WRITE memory access.
    #0 0x74ada89688df in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x1688df) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #1 0x643e3cf8ded0 in void std::__new_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:191:23
    #2 0x643e3cf8ded0 in void std::allocator_traits<std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>(std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:538:8
    #3 0x643e3cf8ded0 in void std::__relocate_object_a<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_uninitialized.h:1077:7
    #4 0x643e3cf8de3e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>* std::__relocate_a_1<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_uninitialized.h:1105:2
    #5 0x643e3cf8ddee in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>* std::__relocate_a<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_uninitialized.h:1147:14
    #6 0x643e3cf8d98c in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::_S_relocate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:509:9
    #7 0x643e3cf9ab27 in void std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::_M_realloc_insert<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&>(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:485:23
    #8 0x643e3cf989bc in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::insert(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:170:2
    #9 0x643e3cf849d6 in void rapidcsv::Document::InsertColumn<int>(unsigned long, std::vector<int, std::allocator<int>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/pvz122/proj/llm/abl-afgenllm/database/rapidcsv/latest/code/src/rapidcsv.h:844:18
    #10 0x643e3cf82703 in main /home/pvz122/proj/llm/poc/rapidcsv/2/poc.cpp:6:7
    #11 0x74ada842a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x74ada842a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x643e3cea6a24 in _start (/home/pvz122/proj/llm/poc/rapidcsv/2/poc+0x2ea24) (BuildId: d5d80e3cdd177787fd100ea1e631463003ba8c9f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x1688df) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&&)
==687954==ABORTING

This crash appears to be a bug of the library and can cause security issues.

How to reproduce it:

The PoC program is:

#include "rapidcsv.h"

int main() {
  rapidcsv::Document doc("./poc.csv");
  std::vector<int> columnData = {1, 2, 3};
  doc.InsertColumn(2, columnData, "ColumnName");
  return 0;
}

And the PoC CSV file can be downloaded at here.

The build command is like:

clang++ poc.cpp -o poc -fsanitize=address -g -I rapidcsv/src

Environment:

• Version: 8.85
• OS / distro: Ubuntu 24.04

[d99kris]

Hi @pvz122 - thanks for this report too, I haven't tried reproducing the problem yet, but I believe it would have a similar root cause as #186 - and I anticipate the fix will be similar (throwing an exception). I will look into preparing a fix, but it might take a little while (just to adjust the expectations).