GMessage("Warning: unexpected tab character in last column, line truncated:\n\%s\n",l);
}
gffWarnings=reader->gff_warns;
gseqname=t[0];
track=t[1];
ftype=t[2];
info=t[8];
When GCLib reads a GFF line with no info segment, the char * at t[8] will not be set, causing it to take on whatever stale value happens to be in that location of the stack. Triggered accidentally, this can cause a segfault due to reading an invalid address here:
However, a maliciously crafted input may be able to place a valid pointer at this location, causing a more severe vulnerability.
Proposed Patch
At a minimum, t should be zeroed during initialization:
*** v0.12.7/gclib/gff.cpp 2021-07-23 10:31:39.000000000 -0400--- new/gclib/gff.cpp 2021-10-04 10:54:52.989309121 -0400
*************** GffLine::GffLine(GffReader* reader, cons
*** 405,411 ****
GMALLOC(dupline, llen+1);
memcpy(dupline, l, llen+1);
skipLine=true; //clear only if we make it to the end of this function
! char* t[9];
int i=0;
int tidx=1;
t[0]=line;
--- 405,411 ----
GMALLOC(dupline, llen+1);
memcpy(dupline, l, llen+1);
skipLine=true; //clear only if we make it to the end of this function
! char* t[9] = {0};
int i=0;
int tidx=1;
t[0]=line;
Ideally, the library should gracefully handle no info being found (this only works if t is zero initialized):
Reproduce
PoC Input: min.gz
Steps to Reproduce:
gzip -d min.gz./gffread -E min -o outOutput:
Root Cause
gclib/gff.cpp
Lines 413 to 432 in 8aee376
When GCLib reads a GFF line with no info segment, the
char *att[8]will not be set, causing it to take on whatever stale value happens to be in that location of the stack. Triggered accidentally, this can cause a segfault due to reading an invalid address here:gclib/gff.cpp
Line 118 in 8aee376
However, a maliciously crafted input may be able to place a valid pointer at this location, causing a more severe vulnerability.
Proposed Patch
At a minimum,
tshould be zeroed during initialization:Ideally, the library should gracefully handle no info being found (this only works if
tis zero initialized):Credit
This bug was detected using AFL and localized using ARCUS.
The text was updated successfully, but these errors were encountered: