search

IUPAC-InChI / InChI

Main InChI repository
https://iupac-inchi.github.io/InChI-Web-Demo/
MIT License
68 stars 8 forks source link

Calloc-parameters-overflow in function `ParseSegmentFormula()` #58

Open skorpion98 opened 2 months ago

skorpion98 commented 2 months ago

Summary

In function ParseSegmentFormula(), an invalid value is being used as size for an allocation through calloc(). https://github.com/IUPAC-InChI/InChI/blob/84773394f6b5e249747bc48c24372244b586909f/INCHI-1-SRC/INCHI_BASE/src/ichiread.c#L9967

ASan output

==267==ERROR: AddressSanitizer: calloc parameters overflow: count * size (-1 * 160) cannot be represented in type size_t (thread T0)
    #0 0x55edbbdd4b18 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x55edbc131afc in ParseSegmentFormula /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:9967:41
    #2 0x55edbc0fa7a5 in ReadInChILine /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:5374:19
    #3 0x55edbc0fa7a5 in InChILine2Data /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:2384:11
    #4 0x55edbc0f262c in ReadWriteInChI /src/inchi/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:787:23
    #5 0x55edbbe1d4ac in GetINCHIfromINCHI /src/inchi/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2322:16
    #6 0x55edbbe13bee in LLVMFuzzerTestOneInput /src/inchi_input_fuzzer.c:46:3
    #7 0x55edbbe14499 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7

Steps to reproduce

In the following archive, you will find

To reproduce the errors, simply run the given binary with the testcase files with a command like ./inchi_input_fuzzer /path_to_testcases/input

The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=address.

The hash commit used to perform the tests is 8477339.

Environment

djb-rwth commented 1 month ago

Hi @skorpion98, Thank you for creating this issue. All the above mentioned bugs/vulnerabilities along with the newly opened Google oss-fuzz issues will be addressed in forthcoming version(s) of InChI.

BTW, we have started using AFL++ on Ubuntu 22.04 LTS only recently, but please feel free to track down any bug/security issue which might have been overlooked at our end.

djb-rwth commented 1 week ago

Hi @skorpion98, The above stated issues have been addressed in InChI v1.07.2, which has now been uploaded to rwth branch. Please feel free to let me know if you have any further suggestions.