c-blosc2 icon indicating copy to clipboard operation
c-blosc2 copied to clipboard
verified publisher icon Blosc

ASAN memory copy bugs in blosc2_schunk_to_frame

Open nmoinvaz opened this issue 5 years ago • 2 comments

There appears to be a bug in blosc2_schunk_to_frame. It happens in: https://github.com/Blosc/c-blosc2/blob/9de39a266ae28661397448764c63b41f05bdf2c0/blosc/frame.c#L606

off_chunk is null because nchunks == 0. Next highest function up in the stack is blosc2_new_schunk and it appears that schunk->nchunks is never set and is 0.

This can be reproduced by running the frame_backed_schunk test app. Not sure how to handle it.

nmoinvaz avatar Sep 19 '20 03:09 nmoinvaz

There is also another similar issue in frame_update_trailer. Apparently blosc2_schunk_to_frame calls into frame_update_trailer and schunk->usermeta is null. This can be relatively easy to fix by checking for usermeta_len == 0. https://github.com/Blosc/c-blosc2/blob/9de39a266ae28661397448764c63b41f05bdf2c0/blosc/frame.c#L453

nmoinvaz avatar Sep 19 '20 03:09 nmoinvaz

Here is the relevant ASAN output:

../blosc/frame.c:606:43: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../blosc/frame.c:606:43 in 
../blosc/frame.c:453:20: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../blosc/frame.c:453:20 in

nmoinvaz avatar Sep 19 '20 03:09 nmoinvaz