Skip to content

Oss fuzz 499447432#1999

Merged
daviesrob merged 2 commits intosamtools:developfrom
jkbonfield:oss-fuzz-499447432
Apr 20, 2026
Merged

Oss fuzz 499447432#1999
daviesrob merged 2 commits intosamtools:developfrom
jkbonfield:oss-fuzz-499447432

Conversation

@jkbonfield
Copy link
Copy Markdown
Contributor

@jkbonfield jkbonfield commented Apr 16, 2026

  • Fix extend_ref to not change ref_end on error, fixing a read buffer overflow.
  • Improve SQ LN field checking, failing on LN:-2 and also LN:0 or "LN:"

Note this isn't CVE worthy as the code it fixes appeared since the last release.

@jkbonfield
Fix extend_ref to not change ref_end on error.
b617ed7 
If we fail to extend the buffer, we shouldn't extend ref_end.
This avoids needing to check downstream everywhere we use ref_end to
make sure it's not bigger than ref_end_alloc.  Instead we'll just get
short references and need to encode overhanging sequences against Ns.

Credit to OSS_Fuzz
Fixes oss-fuzz issue 499447432
@jkbonfield
Improve SQ LN field checking.
490b3b3 
Converting a file to CRAM with embed_ref=2 and SQ LN:0 triggers some
unusual code paths because we use a non-zero length field as an
indicator for the referencing having been populated.  In this case we
convert sequence to Ns (albeit not overflowing buffers and in a secure
way).

However it's a wider issue.  LN:-2 was permitted and it gets convered
to MAX_INT in bam.  Plus "LN:" (no length) was accepted and treated as
zero.  So instead of putting the fix in cram_io.c refs_from_header()
("if (h->hrecs->ref[i].len <= 0) ...") we disallow this globally for
all file formats.
@daviesrob daviesrob merged commit 63076c5 into samtools:develop Apr 20, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkbonfield @daviesrob