search

lh3 / bwa

Burrow-Wheeler Aligner for short-read alignment (see minimap2 for long-read alignment)
GNU General Public License v3.0
1.53k stars 556 forks source link

[bwa_index] Pack FASTA... *** buffer overflow detected *** #239

Open H4niz opened 5 years ago

H4niz commented 5 years ago

I found a buffer overflow in [bns_fasta2bntseq] function.

int64_t bns_fasta2bntseq(gzFile fp_fa, const char *prefix, int for_only)
{
    extern void seq_reverse(int len, ubyte_t *seq, int is_comp); // in bwaseqio.c
    kseq_t *seq;
    char name[1024];
    bntseq_t *bns;
    uint8_t *pac = 0;
    int32_t m_seqs, m_holes;
    int64_t ret = -1, m_pac, l;
    bntamb1_t *q;
    FILE *fp;

    // initialization
    ....
    strcpy(name, prefix); strcat(name, ".pac");
    ...
    return ret;
}

The name buffer has only 1024 bytes, in order that buffer overflow occurs if we pass more than 1024 bytes as prefix. It's a vulnerability

yanlinlin82 commented 5 years ago

This could be fixed by snprintf, like:

snprintf(name, sizeof(name), "%s.pac", prefix);
H4niz commented 5 years ago

In other function, that use the same input with [bns_fasta2bntseq] function, [bns_dump] function in btnseq.c. There is a buffer overflow here.

void bns_dump(const bntseq_t *bns, const char *prefix)
{
    char str[1024];
    FILE *fp;
    int i;
    { // dump .ann
        strcpy(str, prefix); strcat(str, ".ann");
(......)
    { // dump .amb
        strcpy(str, prefix); strcat(str, ".amb");
(....)
}

The buffer overflow occur in str buffer. They can be fixed by snprintf, like @yanlinlin82 recommendation.

carnil commented 5 years ago

CVE-2019-11371 was assigned for this issue.

pfsmorigo commented 4 years ago

Any update?