From b0bc9ae4a54064365e435812443f4122e6b60b81 Mon Sep 17 00:00:00 2001 From: Rob Davies Date: Wed, 18 Sep 2024 13:51:46 +0100 Subject: [PATCH] Fix possible 1 byte underflow in find_file_extension() When checking for another delimiter before .gz or .bgz, the pointer into the string was decremented without checking to see if was at the start. This could lead to a one byte read before the start of the string when copying out the delimiter. Credit to OSS_Fuzz Fixes oss-fuzz id 71740 --- hts_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hts_internal.h b/hts_internal.h index 52f29e6c1..c07df8abd 100644 --- a/hts_internal.h +++ b/hts_internal.h @@ -129,7 +129,7 @@ static inline int find_file_extension(const char *fn, char ext_out[static HTS_MA if (!fn) return -1; if (!delim) delim = fn + strlen(fn); for (ext = delim; ext > fn && *ext != '.' && *ext != '/'; --ext) {} - if (*ext == '.' && + if (*ext == '.' && ext > fn && ((delim - ext == 3 && ext[1] == 'g' && ext[2] == 'z') || // permit .sam.gz as a valid file extension (delim - ext == 4 && ext[1] == 'b' && ext[2] == 'g' && ext[3] == 'z'))) // permit .vcf.bgz as a valid file extension {