bwa icon indicating copy to clipboard operation
bwa copied to clipboard

Published 20 hours ago verified publisher icon lh3

[bwa_index] Pack FASTA... *** buffer overflow detected ***

Open H4niz opened this issue 5 years ago • 4 comments

I found a buffer overflow in [bns_fasta2bntseq] function.

int64_t bns_fasta2bntseq(gzFile fp_fa, const char *prefix, int for_only)
{
	extern void seq_reverse(int len, ubyte_t *seq, int is_comp); // in bwaseqio.c
	kseq_t *seq;
	char name[1024];
	bntseq_t *bns;
	uint8_t *pac = 0;
	int32_t m_seqs, m_holes;
	int64_t ret = -1, m_pac, l;
	bntamb1_t *q;
	FILE *fp;

	// initialization
	....
	strcpy(name, prefix); strcat(name, ".pac");
	...
	return ret;
}

The name buffer has only 1024 bytes, in order that buffer overflow occurs if we pass more than 1024 bytes as prefix. It's a vulnerability

H4niz avatar Apr 16 '19 17:04 H4niz

This could be fixed by snprintf, like:

snprintf(name, sizeof(name), "%s.pac", prefix);

yanlinlin82 avatar Apr 17 '19 03:04 yanlinlin82

In other function, that use the same input with [bns_fasta2bntseq] function, [bns_dump] function in btnseq.c. There is a buffer overflow here.

void bns_dump(const bntseq_t *bns, const char *prefix)
{
	char str[1024];
	FILE *fp;
	int i;
	{ // dump .ann
		strcpy(str, prefix); strcat(str, ".ann");
(......)
	{ // dump .amb
		strcpy(str, prefix); strcat(str, ".amb");
(....)
}

The buffer overflow occur in str buffer. They can be fixed by snprintf, like @yanlinlin82 recommendation.

H4niz avatar Apr 20 '19 16:04 H4niz

CVE-2019-11371 was assigned for this issue.

carnil avatar Apr 21 '19 06:04 carnil

Any update?

pfsmorigo avatar Dec 16 '19 19:12 pfsmorigo