htslib
htslib copied to clipboard
Published
20 hours ago •
samtools
samtools
Various BAM/SAM related issues
See https://github.com/samtools/htslib/issues/593#issue-259627325 for context.
Integer overflow at https://github.com/samtools/htslib/blob/develop/sam.c#L1230 (it's in a write path but I figure I'd still file it, line slightly different for our version).
ASan output:
third_party/htslib/htslib_1_5/sam.c:1213:18: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
#0 0x569fda in sam_format1 third_party/htslib/htslib_1_5/sam.c:1213:18
#1 0x56d59d in sam_write1 third_party/htslib/htslib_1_5/sam.c:1353:13
#2 0x4fa6c6 in view_sam(hFILE*, char const*) experimental/users/kostyak/htsfuzz/htsreader.cc:35:11
gdb:
(gdb) frame 11
#11 0x0000000000569fdb in sam_format1 (h=0x606000002180, b=0x6060000021e0, str=0x608000000db0) at third_party/htslib/htslib_1_5/sam.c:1213
1213 kputw(c->pos + 1, str); kputc('\t', str); // pos
(gdb) p c->pos
$1 = 2147483647
Cast overflow at https://github.com/samtools/htslib/blob/develop/sam.c#L1155
ASan output:
third_party/htslib/htslib_1_5/sam.c:1138:67: runtime error: -3.40282e+38 is outside the range of representable values of type 'float'
#0 0x56784e in sam_parse1 third_party/htslib/htslib_1_5/sam.c:1138:67
#1 0x569867 in sam_read1 third_party/htslib/htslib_1_5/sam.c:1186:15
#2 0x4fa6ac in view_sam(hFILE*, char const*) experimental/users/kostyak/htsfuzz/htsreader.cc:34:10
gdb:
Breakpoint 1, sam_parse1 (s=0x608000000d30, h=0x606000002180, b=0x6060000021e0) at third_party/htslib/htslib_1_5/sam.c:1138
1138 else if (type == 'f') while (q + 1 < p) { float_to_le(strtod(q + 1, &q), (uint8_t *) str.s + str.l); str.l += 4; _skip_to_comma(q, p); }
(gdb) p q
$3 = 0x61d00000027c ",-340282366920938463463374607431768211456.--393988384724525692804584,5.5,10545933186608628.5"
Integer overflow at https://github.com/samtools/htslib/blob/develop/sam.c#L1021
ASan output:
third_party/htslib/htslib_1_5/sam.c:1004:41: runtime error: signed integer overflow: 2147483647 + 10 cannot be represented in type 'int'
#0 0x562a70 in sam_parse1 third_party/htslib/htslib_1_5/sam.c:1004:41
#1 0x569867 in sam_read1 third_party/htslib/htslib_1_5/sam.c:1186:15
#2 0x4fa6ac in view_sam(hFILE*, char const*) experimental/users/kostyak/htsfuzz/htsreader.cc:34:10
gdb:
(gdb) frame 11
#11 0x0000000000562a71 in sam_parse1 (s=0x608000000d30, h=0x606000002180, b=0x6060000021e0) at third_party/htslib/htslib_1_5/sam.c:1004
1004 c->bin = hts_reg2bin(c->pos, c->pos + i, 14, 5);
(gdb) p c->pos
$1 = 2147483647
Integer overflow at https://github.com/samtools/htslib/blob/develop/sam.c#L402 (this one is actually mitigated by https://github.com/samtools/htslib/blob/develop/sam.c#L403)
ASan output:
third_party/htslib/htslib_1_5/sam.c:402:27: runtime error: signed integer overflow: -2147483648 - 32 cannot be represented in type 'int'
#0 0x556394 in bam_read1 third_party/htslib/htslib_1_5/sam.c:402:27
#1 0x569373 in sam_read1 third_party/htslib/htslib_1_5/sam.c:1163:17
#2 0x4fa6ac in view_sam(hFILE*, char const*) experimental/users/kostyak/htsfuzz/htsreader.cc:34:10
gdb:
(gdb) frame 11
#11 0x0000000000556395 in bam_read1 (fp=0x60b000000460, b=0x6060000021e0) at third_party/htslib/htslib_1_5/sam.c:402
402 b->l_data = block_len - 32 + c->l_extranul;
(gdb) p block_len
$` = -2147483648