Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calloc-parameters-overflow in function ParseSegmentFormula() #58

Open
skorpion98 opened this issue Sep 13, 2024 · 2 comments
Open

Calloc-parameters-overflow in function ParseSegmentFormula() #58

skorpion98 opened this issue Sep 13, 2024 · 2 comments
Assignees
@djb-rwth

Comments

@skorpion98
Copy link

Summary

In function ParseSegmentFormula(), an invalid value is being used as size for an allocation through calloc().

InChI/INCHI-1-SRC/INCHI_BASE/src/ichiread.c

Line 9967 in 8477339

if (!(pInpInChI[bMobileH] = (INChI*)inchi_calloc(nNumComponents, sizeof(INChI))))

ASan output

==267==ERROR: AddressSanitizer: calloc parameters overflow: count * size (-1 * 160) cannot be represented in type size_t (thread T0)
	#0 0x55edbbdd4b18 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
	#1 0x55edbc131afc in ParseSegmentFormula /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:9967:41
	#2 0x55edbc0fa7a5 in ReadInChILine /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:5374:19
	#3 0x55edbc0fa7a5 in InChILine2Data /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:2384:11
	#4 0x55edbc0f262c in ReadWriteInChI /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:787:23
	#5 0x55edbbe1d4ac in GetINCHIfromINCHI /src/inchi/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2322:16
	#6 0x55edbbe13bee in LLVMFuzzerTestOneInput /src/inchi_input_fuzzer.c:46:3
	#7 0x55edbbe14499 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7

Steps to reproduce

In the following archive, you will find

  • the executable on which we performed our tests
  • the input file that caused the bug
  • the output of ASan confirming our finding

To reproduce the errors, simply run the given binary with the testcase files with a command like ./inchi_input_fuzzer /path_to_testcases/input

The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=address.

The hash commit used to perform the tests is 8477339.

Environment

  • OS: Linux
  • Version/Distribution: Ubuntu 20.04
  • Architecture: x86_64
@djb-rwth
Copy link
Collaborator

Hi @skorpion98,
Thank you for creating this issue.
All the above mentioned bugs/vulnerabilities along with the newly opened Google oss-fuzz issues will be addressed in forthcoming version(s) of InChI.

BTW, we have started using AFL++ on Ubuntu 22.04 LTS only recently, but please feel free to track down any bug/security issue which might have been overlooked at our end.

@djb-rwth djb-rwth self-assigned this Sep 23, 2024
@djb-rwth
Copy link
Collaborator

Hi @skorpion98,
The above stated issues have been addressed in InChI v1.07.2, which has now been uploaded to rwth branch.
Please feel free to let me know if you have any further suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djb-rwth djb-rwth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skorpion98 @djb-rwth