From 370aed77423a0504794a2543f3ebd8e308d66cd9 Mon Sep 17 00:00:00 2001 From: sirus20x6 Date: Wed, 25 Mar 2026 18:14:00 -0500 Subject: [PATCH] Fix two bugs in regidx.c: OOB array access and double-free 1. regidx_overlap: cap iend to nidx-1 instead of nidx, preventing an out-of-bounds read of list->idx[nidx] in the i<=iend loop. 2. regidx_init: set str.s = NULL after freeing it so the error path does not double-free when hts_close() fails. --- regidx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/regidx.c b/regidx.c index 40d909896..3aeed6799 100644 --- a/regidx.c +++ b/regidx.c @@ -289,6 +289,7 @@ regidx_t *regidx_init(const char *fname, regidx_parse_f parser, regidx_free_f fr } free(str.s); + str.s = NULL; if ( hts_close(fp)!=0 ) { fprintf(stderr,"[%s] Error: close failed .. %s\n", __func__,fname); @@ -441,7 +442,7 @@ int regidx_overlap(regidx_t *regidx, const char *chr, uint32_t beg, uint32_t end if ( !i ) { int iend = iBIN(end); - if ( iend > list->nidx ) iend = list->nidx; + if ( iend >= list->nidx ) iend = list->nidx - 1; for (i=ibeg; i<=iend; i++) if ( list->idx[i] ) break; if ( i>iend ) return 0;