Submit #763756: openbabel Open Babel 3.1.1 and master-branch NULL Pointer Dereferenceinfo

Titel	openbabel Open Babel 3.1.1 and master-branch NULL Pointer Dereference
Beschreibung	### Description We discovered a Segmentation Fault vulnerability in OpenBabel. The crash occurs in OpenBabel::OBAtom::GetExplicitValence (specifically in the inlined BeginBond) when parsing a malformed CDXML (ChemDraw XML) file. The ASAN report indicates a SEGV at address 0x000000000040 with rdi=0. This indicates that GetExplicitValence was called on a NULL OBAtom pointer, leading to a crash when accessing member variables (e.g., the bond vector) at offset 0x40. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: OpenBabel - Vulnerability Type: CWE-476: NULL Pointer Dereference - Function: OpenBabel::OBAtom::GetExplicitValence - Location: isrc/atom.cpp:983:42 - Caller: OpenBabel::ChemDrawXMLFormat::EndElement at src/formats/xml/cdxmlformat.cpp:268:12 - Root Cause Analysis: The crash originates in ChemDrawXMLFormat::EndElement. At line 268 of cdxmlformat.cpp, the code calls OBAtomAssignTypicalImplicitHydrogens(atom). The atom pointer passed to this function appears to be NULL. This likely happens when the parser attempts to retrieve an atom (e.g., from an ID lookup or internal state) but fails to find it due to malformed XML structure, and subsequently fails to check for NULL before using it. OBAtomAssignTypicalImplicitHydrogens then calls atom->GetExplicitValence(), which dereferences this (NULL), causing the crash. ### Reproduce 1. Build openbabel with Release optimization and ASAN enabled. ``` CC=clang CXX=clang++ cmake .. \ -DCMAKE_BUILD_TYPE=Release \ -DENABLE_ASAN=ON \ -DCMAKE_CXX_FLAGS="-g -fsanitize=address -O3" \ -DCMAKE_C_FLAGS="-g -fsanitize=address -O3" make -j$(nproc) ``` 2. Set runtime configuration ``` export REPRO_BUILD_DIR="/src/repro/openbabel/build" export BABEL_LIBDIR="$REPRO_BUILD_DIR/lib" export LD_LIBRARY_PATH="$REPRO_BUILD_DIR/lib:$LD_LIBRARY_PATH" export ASAN_OPTIONS="symbolize=1:detect_leaks=0:detect_odr_violation=0:allocator_may_return_null=1:abort_on_error=1" ``` 3. Run with the crashing [file](https://github.com/oneafter/0128/blob/main/ob3/repro.cdxml): ``` obabel -icdxml repro.cdxml -osmi -O /dev/null ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==20722==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fd467c94fc1 bp 0x7fff4c673c90 sp 0x7fff4c673bb0 T0) ==20722==The signal is caused by a READ memory access. ==20722==Hint: address points to the zero page. #0 0x7fd467c94fc1 in OpenBabel::OBAtom::BeginBond(__gnu_cxx::__normal_iterator<OpenBabel::OBBond*, std::vector<OpenBabel::OBBond, std::allocator<OpenBabel::OBBond>>>&) /src/repro/openbabel/src/atom.cpp #1 0x7fd467c94fc1 in OpenBabel::OBAtom::GetExplicitValence() const /src/repro/openbabel/src/atom.cpp:983:42 #2 0x7fd467ee172a in OpenBabel::OBAtomAssignTypicalImplicitHydrogens(OpenBabel::OBAtom) /src/repro/openbabel/src/obfunctions.cpp:942:32 #3 0x7fd46304632b in OpenBabel::ChemDrawXMLFormat::EndElement(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/repro/openbabel/src/formats/xml/cdxmlformat.cpp:268:12 #4 0x7fd46304c151 in OpenBabel::XMLConversion::ReadXML(OpenBabel::XMLBaseFormat, OpenBabel::OBBase) /src/repro/openbabel/src/formats/xml/xml.cpp:228:23 #5 0x7fd467faf433 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion, OpenBabel::OBFormat) /src/repro/openbabel/src/obmolecformat.cpp:101:18 #6 0x7fd467ebc7fc in OpenBabel::OBConversion::Convert() /src/repro/openbabel/src/obconversion.cpp:542:30 #7 0x7fd467ebbd8b in OpenBabel::OBConversion::Convert(std::istream, std::ostream) /src/repro/openbabel/src/obconversion.cpp:478:17 #8 0x7fd467ec5d16 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>&) /src/repro/openbabel/src/obconversion.cpp:1511:17 #9 0x55c7d503d82a in main /src/openbabel/tools/obabel.cpp:370:20 #10 0x7fd4676241c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #11 0x7fd46762428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #12 0x55c7d4f57654 in _start (/src/openbabel/build_afl/bin/obabel+0x30654) (BuildId: 91313e1461eddf0aa27f69aeebb05609674ad0c8) ==20722==Register values: rax = 0x0000000000000048 rbx = 0x0000000000000000 rcx = 0x0000000000000009 rdx = 0x00007fd465411100 rdi = 0x0000000000000000 rsi = 0x00007fd466ed40d0 rbp = 0x00007fff4c673c90 rsp = 0x00007fff4c673bb0 r8 = 0x000000000000001c r9 = 0x0000524000002000 r10 = 0x00007fffffffff01 r11 = 0x8af22971552ffa01 r12 = 0x00005020000016fc r13 = 0x00005020000016fc r14 = 0x00007fd4630557a0 r15 = 0x0000512000007e40 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/repro/openbabel/src/atom.cpp in OpenBabel::OBAtom::BeginBond(__gnu_cxx::__normal_iterator<OpenBabel::OBBond*, std::vector<OpenBabel::OBBond, std::allocator<OpenBabel::OBBond*>>>&) ==20722==ABORTING ``` </details>
Quelle	⚠️ https://github.com/openbabel/openbabel/issues/2848
Benutzer	Oneafter (UID 92781)
Einreichung	20.02.2026 11:46 (vor 2 Monaten)
Moderieren	01.03.2026 08:11 (9 days later)
Status	Akzeptiert
VulDB Eintrag	348303 [Open Babel bis 3.1.1 CDXML File isrc/atom.cpp GetExplicitValence Denial of Service]
Punkte	20

◂ Zurück Übersicht Weiter ▸

Might our Artificial Intelligence support you?

Check our Alexa App!