Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bwa_index] Pack FASTA... *** buffer overflow detected *** #239

Open
H4niz opened this issue Apr 16, 2019 · 4 comments
Open

[bwa_index] Pack FASTA... *** buffer overflow detected *** #239

H4niz opened this issue Apr 16, 2019 · 4 comments

Comments

@H4niz
Copy link

H4niz commented Apr 16, 2019

I found a buffer overflow in [bns_fasta2bntseq] function.

int64_t bns_fasta2bntseq(gzFile fp_fa, const char *prefix, int for_only)
{
	extern void seq_reverse(int len, ubyte_t *seq, int is_comp); // in bwaseqio.c
	kseq_t *seq;
	char name[1024];
	bntseq_t *bns;
	uint8_t *pac = 0;
	int32_t m_seqs, m_holes;
	int64_t ret = -1, m_pac, l;
	bntamb1_t *q;
	FILE *fp;

	// initialization
	....
	strcpy(name, prefix); strcat(name, ".pac");
	...
	return ret;
}

The name buffer has only 1024 bytes, in order that buffer overflow occurs if we pass more than 1024 bytes as prefix. It's a vulnerability

@yanlinlin82
Copy link

This could be fixed by snprintf, like:

snprintf(name, sizeof(name), "%s.pac", prefix);

@H4niz
Copy link
Author

H4niz commented Apr 20, 2019

In other function, that use the same input with [bns_fasta2bntseq] function, [bns_dump] function in btnseq.c. There is a buffer overflow here.

void bns_dump(const bntseq_t *bns, const char *prefix)
{
	char str[1024];
	FILE *fp;
	int i;
	{ // dump .ann
		strcpy(str, prefix); strcat(str, ".ann");
(......)
	{ // dump .amb
		strcpy(str, prefix); strcat(str, ".amb");
(....)
}

The buffer overflow occur in str buffer. They can be fixed by snprintf, like @yanlinlin82 recommendation.

@carnil
Copy link

carnil commented Apr 21, 2019

CVE-2019-11371 was assigned for this issue.

@pfsmorigo
Copy link

Any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants