If all the @PG records passed to sam_hdr_link_pg() form a single PP loop, all entries in the sam_hrecs_t::pg_end array it builds get set to -1, indicating that there are no chain start points. These entries are then removed to make the final list, but due to a bug in handling the case where there are no PP links the number of entries was incorrectly set to 1 instead of 0. This could lead to an out-of-bounds read in sam_hdr_add_pg() when linking new @PG entries to the existing ones.
Fix by ensuring that only valid end points are returned in the sam_hrecs_t::pg_end array, and the length is set to zero if no ends are detected due to a loop.
Adds a warning if a @PG record is found with a PP link to itself. Detecting longer loops is left for future work. Fixes another warning which incorrectly said 'SN' instead of 'ID' in its message.
Adds an assert() in sam_hdr_add_pg() to catch any other cases of the out-of-bounds read.
Adds tests for loopy @PG records.
Thanks to @OctavioGalland for the bug report. Fixes #1694
If all the
@PGrecords passed tosam_hdr_link_pg()form a singlePPloop, all entries in thesam_hrecs_t::pg_endarray it builds get set to -1, indicating that there are no chain start points. These entries are then removed to make the final list, but due to a bug in handling the case where there are noPPlinks the number of entries was incorrectly set to 1 instead of 0. This could lead to an out-of-bounds read insam_hdr_add_pg()when linking new@PGentries to the existing ones.Fix by ensuring that only valid end points are returned in the
sam_hrecs_t::pg_end array, and the length is set to zero if no ends are detected due to a loop.Adds a warning if a
@PGrecord is found with a PP link to itself. Detecting longer loops is left for future work. Fixes another warning which incorrectly said 'SN' instead of 'ID' in its message.Adds an
assert()insam_hdr_add_pg()to catch any other cases of the out-of-bounds read.Adds tests for loopy
@PGrecords.Thanks to @OctavioGalland for the bug report. Fixes #1694