search

stcorp / coda

The Common Data Access toolset
http://stcorp.github.io/coda/doc/html/index.html
BSD 3-Clause "New" or "Revised" License
39 stars 17 forks source link

coda_recognize_file_fuzzer: Integer-overflow in read_grib2_message #57

Closed schwehr closed 4 years ago

schwehr commented 4 years ago 
third_party/stcorp_coda/libcoda/coda-grib.c:2305:74: runtime error: signed integer overflow: 16770703 * 256 cannot be represented in type 'int'
    #0 0x55b0fb8c0e80 in read_grib2_message third_party/stcorp_coda/libcoda/coda-grib.c:2305:74
    #1 0x55b0fb8ad540 in coda_grib_reopen third_party/stcorp_coda/libcoda/coda-grib.c:3131:17
    #2 0x55b0fb8efb4b in reopen_with_backend third_party/stcorp_coda/libcoda/coda-product.c:408:17
    #3 0x55b0fb8ec938 in open_file third_party/stcorp_coda/libcoda/coda-product.c:550:9
    #4 0x55b0fb8ec27a in coda_recognize_file third_party/stcorp_coda/libcoda/coda-product.c:594:9
    #5 0x55b0fb802151 in LLVMFuzzerTestOneInput third_party/stcorp_coda/fuzz/coda_recognize_file_fuzzer.cc:19:3

SUMMARY: UndefinedBehaviorSanitizer: signed-integer-overflow third_party/stcorp_coda/libcoda/coda-grib.c:2305

testcase-6232605866852352.zip

svniemeijer commented 4 years ago

Should be fixed in 24c596d25344b42c7d7421ab24303f52cf787b8c. I now went through the whole file to add explicit type casts for similar cases.

schwehr commented 4 years ago

Verified