From 24dab0c6fa309cb82546226bfa6a1c5c1ca7efc4 Mon Sep 17 00:00:00 2001 From: James Bonfield Date: Mon, 4 Dec 2023 09:34:13 +0000 Subject: [PATCH 1/2] Avoid undefined behaviour integer overflow in extend_ref Credit to OSS-Fuzz Fixes oss-fuzz 64646 --- cram/cram_encode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cram/cram_encode.c b/cram/cram_encode.c index a3771bd74..c7e98332d 100644 --- a/cram/cram_encode.c +++ b/cram/cram_encode.c @@ -1509,6 +1509,9 @@ static inline int extend_ref(char **ref, uint32_t (**hist)[5], hts_pos_t pos, return 0; // realloc + if (pos - ref_start > UINT_MAX) + return -2; // protect overflow in new_end calculation + hts_pos_t old_end = *ref_end ? *ref_end : ref_start; hts_pos_t new_end = ref_start + 1000 + (pos-ref_start)*1.5; From ba18cb9af80c59fec820c4ec753a17446538ec35 Mon Sep 17 00:00:00 2001 From: James Bonfield Date: Mon, 4 Dec 2023 09:50:25 +0000 Subject: [PATCH 2/2] Fix integer overflow in cram_compress_block2 The figure used here is somewhat arbitrary as it's simply a marker for something considerably worse than no compression, given it's used in places where the compression wasn't applied or fails. Although sz is long, it may get other modifiers and the CRAM block size is int so UINT_MAX seems like a natural "larger than possible" value to use. Credit to OSS-Fuzz Fixes oss-fuzz 64616 --- cram/cram_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cram/cram_io.c b/cram/cram_io.c index d8d2d295c..c3efb735f 100644 --- a/cram/cram_io.c +++ b/cram/cram_io.c @@ -2079,10 +2079,10 @@ int cram_compress_block2(cram_fd *fd, cram_slice *s, } else if (c) { free(c); } else { - sz[m] = b->uncomp_size*2+1000; // arbitrarily worse than raw + sz[m] = UINT_MAX; // arbitrarily worse than raw } } else { - sz[m] = b->uncomp_size*2+1000; // arbitrarily worse than raw + sz[m] = UINT_MAX; // arbitrarily worse than raw } }