Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stricter limit on POS/MPOS/TLEN in sam_parse1() #1812

Merged
merged 2 commits into from
Jul 30, 2024
Merged

Stricter limit on POS/MPOS/TLEN in sam_parse1() #1812

merged 2 commits into from
Jul 30, 2024

Conversation

daviesrob
Copy link
Member

Help avoid overflow on arithmetic involving POS, MPOS and TLEN by limiting values in the SAM parser to fit in 62 bits (or 63 for TLEN as it's signed). The new limit is still massively bigger than any known reference so it should not cause any problems in practice.

The actual problem reported was a signed value overflow in process_one_read(). Getting this calculation to work correctly for the entire range of int64_t would be complicated. It's easier just to ensure the inputs are within a range where overflow cannot happen.

Credit to OSS-Fuzz
Fixes oss-fuzz 68750

@daviesrob
Stricter limit on POS/MPOS/TLEN in sam_parse1()
9a4b660 
Help avoid overflow on arithmetic involving POS, MPOS and TLEN
by limiting values in the SAM parser to fit in 62 bits (or 63
for TLEN as it's signed).  The new limit is still massively bigger
than any known reference so it should not cause any problems
in practice.

Credit to OSS-Fuzz
Fixes oss-fuzz 68750
@whitwham whitwham self-assigned this Jul 30, 2024
@whitwham
Copy link
Contributor

Does v->pos = hts_str2uint(p, &p, 63, &overflow); in vcf.c at line 3706 also need changing?

@daviesrob
Stricter limit on POS in vcf_parse()
555802f 
Limiting POS to 62 bits helps avoid the risk of signed overflow
when it's set to a very extreme value.  The maximum is still
much higher than the length of the longest currently known
reference.
@daviesrob
Copy link
Member Author

There's probably less urgency on that one, as I think there's fewer troublesome calculations done on positions in VCF files. But the change doesn't appear to cause any problems in HTSlib or BCFtools, so I guess it's worth doing.

@whitwham whitwham merged commit 278e23d into samtools:develop Jul 30, 2024
9 checks passed
@daviesrob daviesrob deleted the tlen_overflow branch August 8, 2024 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@whitwham whitwham

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daviesrob @whitwham