Open skorpion98 opened 2 weeks ago
Hi @skorpion98,
Thank you for creating this issue.
All the above mentioned bugs/vulnerabilities along with the newly opened Google oss-fuzz
issues will be addressed in forthcoming version(s) of InChI
.
BTW, we have started using AFL++
on Ubuntu 22.04 LTS
only recently, but please feel free to track down any bug/security issue which might have been overlooked at our end.
Summary
Several undefined-behaviors have been found after testing one of the harnesses provided on the OSS-Fuzz repository (inchi_input_fuzzer).
During our tests we found:
ParseSegmentMobileH()
(INCHI_BASE/src/ichiread.c:8890)ParseSegmentSp2()
(INCHI_BASE/src/ichiread.c:6949)Canon_INChI3()
(INCHI_BASE/src/ichicano.c:132)Steps to reproduce
In the following archive, you will find
bugs
containing the several inputs that caused the aforementioned bugs and their respective UBSan logs, enumerated as the list aboveTo reproduce the errors, simply run the given binary with the testcase files with a command like
./inchi_input_fuzzer /path_to_testcases/input
The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag
--sanitizer=undefined
.The hash commit used to perform the tests is
8477339
.Environment