| Title | openbabel master-branch NULL Pointer Dereference |
|---|
| Description | ## Segmentation Fault (NULL Write at 0x28) in OBAtom::SetFormalCharge via MOL2 Parser
### Description
We discovered a Segmentation Fault vulnerability in OpenBabel. The crash occurs in OpenBabel::OBAtom::SetFormalCharge when parsing a malformed MOL2 file.
The ASAN report indicates a SEGV caused by a WRITE memory access at address 0x000000000028. This is a classic NULL pointer dereference where the code attempts to write to a member variable (offset 0x28) of a NULL OBAtom pointer.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: OpenBabel
- Vulnerability Type: CWE-476: NULL Pointer Dereference
- Function: OpenBabel::OBAtom::SetFormalCharge (inlined)
- Location: include/openbabel/atom.h:198:54
- Caller: OpenBabel::MOL2Format::ReadMolecule at src/formats/mol2format.cpp:424:23
- Root Cause Analysis: The crash happens inside ReadMolecule for the MOL2 format. At line 424 of mol2format.cpp, the code retrieves a pointer to an atom (likely via GetAtom(i)) and immediately calls SetFormalCharge on it. The OBAtom* pointer returned is NULL (possibly due to an invalid atom ID in the MOL2 file or a mismatch between the declared atom count and actual data). The code fails to check if the pointer is valid before dereferencing it to set the charge.
### Reproduce
1. Build openbabel with Release optimization and ASAN enabled.
```
CC=clang CXX=clang++ cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-DENABLE_ASAN=ON \
-DCMAKE_CXX_FLAGS="-g -fsanitize=address -O3" \
-DCMAKE_C_FLAGS="-g -fsanitize=address -O3"
make -j$(nproc)
```
2. Set runtime configuration
```
export REPRO_BUILD_DIR="/src/repro/openbabel/build"
export BABEL_LIBDIR="$REPRO_BUILD_DIR/lib"
export LD_LIBRARY_PATH="$REPRO_BUILD_DIR/lib:$LD_LIBRARY_PATH"
export ASAN_OPTIONS="symbolize=1:detect_leaks=0:detect_odr_violation=0:allocator_may_return_null=1:abort_on_error=1"
```
3. Run with the crashing [file](https://github.com/oneafter/0128/blob/main/ob2/repro.mol2):
```
obabel -imol2 repro.mol2 -osmi -O /dev/nul
```
<details>
<summary>ASAN report</summary>
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f9affbe4f0c bp 0x7fff27600e30 sp 0x7fff275dfd40 T0)
==23875==The signal is caused by a WRITE memory access.
==23875==Hint: address points to the zero page.
#0 0x7f9affbe4f0c in OpenBabel::OBAtom::SetFormalCharge(int) /src/repro/openbabel/include/openbabel/atom.h:198:54
#1 0x7f9affbe4f0c in OpenBabel::MOL2Format::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) /src/repro/openbabel/src/formats/mol2format.cpp:424:23
#2 0x7f9b0604d433 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) /src/repro/openbabel/src/obmolecformat.cpp:101:18
#3 0x7f9b05f5a7fc in OpenBabel::OBConversion::Convert() /src/repro/openbabel/src/obconversion.cpp:542:30
#4 0x7f9b05f59d8b in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) /src/repro/openbabel/src/obconversion.cpp:478:17
#5 0x7f9b05f63d16 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>&) /src/repro/openbabel/src/obconversion.cpp:1511:17
#6 0x55d84d776193 in main /src/repro/openbabel/tools/obabel.cpp:370:20
#7 0x7f9b056c21c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#8 0x7f9b056c228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#9 0x55d84d699584 in _start (/src/repro/openbabel/build/bin/obabel+0x2e584) (BuildId: c5e5db55bc93a5bc1c6dc818a9b2a6e4170c0137)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/repro/openbabel/include/openbabel/atom.h:198:54 in OpenBabel::OBAtom::SetFormalCharge(int)
==23875==ABORTING
```
</details> |
|---|
| Source | ⚠️ https://github.com/openbabel/openbabel/issues/2848 |
|---|
| User | Oneafter (UID 92781) |
|---|
| Submission | 02/09/2026 02:14 (4 months ago) |
|---|
| Moderation | 02/18/2026 19:05 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 346651 [Open Babel up to 3.1.1 MOL2 File include/openbabel/atom.h OBAtom::SetFormalCharge out-of-bounds] |
|---|
| Points | 20 |
|---|