Submit #304571: openbabel openbabel commit 32cf131444c1555c749b356dab44fb9fe275271f container-overflowinfo

Title	openbabel openbabel commit 32cf131444c1555c749b356dab44fb9fe275271f container-overflow
Description	## Description [openbabel](https://github.com/openbabel/openbabel) has container-overflow /src/openbabel/src/formats/smilesformat.cpp:568:20 in `OpenBabel::OBSmilesParser::ParseSmiles(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)` ## version ```shell commit 32cf131444c1555c749b356dab44fb9fe275271f ``` ## harnss From https://github.com/openbabel/openbabel/blob/master/test/fuzz/fuzz_obconversion.cpp ```c++ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <stdarg.h> #include <string.h> #include <openbabel/babelconfig.h> #include <openbabel/mol.h> #include <openbabel/obconversion.h> #include <cstdlib> #include <stdio.h> #include <iostream> extern "C" int LLVMFuzzerTestOneInput(const uint8_t Data, size_t Size) { using namespace std; using namespace OpenBabel; OBConversion obconv; OpenBabel::OBMol obmol; std::string str (reinterpret_cast<const char>(Data), Size); //FUZZ_INPUT_FORMAT is defined at compile time if(!obconv.SetInFormat(FUZZ_INPUT_FORMAT)){ abort(); } obconv.ReadString(&obmol, str); return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1tvSFclSjmNR86Td4CjVfW4bTpN6Qqs9J?usp=sharing ```shell $ ./fuzz_obconversion_smiles 7ea433db-023f-4e10-8ef3-52ee1f51f72b INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 386023865 INFO: Loaded 1 modules (132925 inline 8-bit counters): 132925 [0x17e4f80, 0x18056bd), INFO: Loaded 1 PC tables (132925 PCs): 132925 [0x13f1010,0x15f83e0), ./fuzz_obconversion_smiles: Running 1 inputs 1 time(s) each. Running: 7ea433db-023f-4e10-8ef3-52ee1f51f72b ================================================================= ==1298214==ERROR: AddressSanitizer: container-overflow on address 0x6190000026b4 at pc 0x0000007d349a bp 0x7fffffffc530 sp 0x7fffffffc528 READ of size 4 at 0x6190000026b4 thread T0 #0 0x7d3499 in OpenBabel::OBSmilesParser::ParseSmiles(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /src/openbabel/src/formats/smilesformat.cpp:568:20 #1 0x7cd66c in OpenBabel::OBSmilesParser::SmiToMol(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /src/openbabel/src/formats/smilesformat.cpp:394:10 #2 0x7cccdb in OpenBabel::SMIBaseFormat::ReadMolecule(OpenBabel::OBBase, OpenBabel::OBConversion) /src/openbabel/src/formats/smilesformat.cpp:380:15 #3 0x6d123c in OpenBabel::OBConversion::Read(OpenBabel::OBBase, std::__1::basic_istream<char, std::__1::char_traits<char> >) /src/openbabel/src/obconversion.cpp:870:30 #4 0x641836 in LLVMFuzzerTestOneInput /src/openbabel/test/fuzz/fuzz_obconversion.cpp:26:12 #5 0x512e73 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #6 0x4ee002 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #7 0x4f90e1 in fuzzer::FuzzerDriver(int, char**, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #8 0x52d212 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #9 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #10 0x4e41cd in _start (/home/zhangwei28/80result/openbabel/fuzz_obconversion_smiles+0x4e41cd) 0x6190000026b4 is located 820 bytes inside of 1024-byte region [0x619000002380,0x619000002780) allocated by thread T0 here: #0 0x63ef2d in operator new(unsigned long) /src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3 #1 0x6a58f5 in __libcpp_operator_new<unsigned long> /usr/local/bin/../include/c++/v1/new:245:10 #2 0x6a58f5 in __libcpp_allocate /usr/local/bin/../include/c++/v1/new:271:10 #3 0x6a58f5 in allocate /usr/local/bin/../include/c++/v1/__memory/allocator.h:105:38 #4 0x6a58f5 in allocate /usr/local/bin/../include/c++/v1/__memory/allocator_traits.h:262:20 #5 0x6a58f5 in __split_buffer /usr/local/bin/../include/c++/v1/__split_buffer:306:29 #6 0x6a58f5 in void std::__1::vector<int, std::__1::allocator<int> >::__push_back_slow_path<int>(int&&) /usr/local/bin/../include/c++/v1/vector:1526:49 #7 0x7e4c8b in push_back /usr/local/bin/../include/c++/v1/vector:1558:9 #8 0x7e4c8b in OpenBabel::OBSmilesParser::ParseSimple(OpenBabel::OBMol&) /src/openbabel/src/formats/smilesformat.cpp:1044:13 #9 0x7cf6c8 in OpenBabel::OBSmilesParser::ParseSmiles(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /src/openbabel/src/formats/smilesformat.cpp:526:14 #10 0x7cd66c in OpenBabel::OBSmilesParser::SmiToMol(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /src/openbabel/src/formats/smilesformat.cpp:394:10 #11 0x7cccdb in OpenBabel::SMIBaseFormat::ReadMolecule(OpenBabel::OBBase, OpenBabel::OBConversion) /src/openbabel/src/formats/smilesformat.cpp:380:15 #12 0x6d123c in OpenBabel::OBConversion::Read(OpenBabel::OBBase, std::__1::basic_istream<char, std::__1::char_traits<char> >) /src/openbabel/src/obconversion.cpp:870:30 #13 0x641836 in LLVMFuzzerTestOneInput /src/openbabel/test/fuzz/fuzz_obconversion.cpp:26:12 #14 0x512e73 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #15 0x4ee002 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #16 0x4f90e1 in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #17 0x52d212 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #18 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0. If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow. SUMMARY: AddressSanitizer: container-overflow /src/openbabel/src/formats/smilesformat.cpp:568:20 in OpenBabel::OBSmilesParser::ParseSmiles(OpenBabel::OBMol&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) Shadow bytes around the buggy address: 0x0c327fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff84d0: 00 00 00 00 00 00[04]fc fc fc fc fc fc fc fc fc 0x0c327fff84e0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x0c327fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1298214==ABORTING ```
Source	⚠️ https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing
User	Anonymous User
Submission	03/26/2024 09:06 (2 years ago)
Moderation	04/05/2024 07:31 (10 days later)
Status	Duplicate
VulDB entry	259052 [yaml libyaml up to 0.2.5 emitter.c yaml_emitter_emit_flow_sequence_item heap-based overflow]
Points	0

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!