Skip to content

Bug Report: Null Pointer Dereference in PQSFormat::ReadMolecule via lowerit #2826

Closed
Closed
Bug Report: Null Pointer Dereference in PQSFormat::ReadMolecule via lowerit#2826

Description

@ahuo1
ahuo1
opened on Sep 14, 2025

Environment

  • OS: Ubuntu 22.04
  • Compiler: clang 13.0.1
  • Sanitizers: AddressSanitizer (ASan) + UndefinedBehaviorSanitizer (UBSan)

Build Instructions

export CC=clang-13
export CXX=clang++-13
export CXXFLAGS="${CXXFLAGS} -std=c++17 -stdlib=libstdc++ -fsanitize=address -O1 -g"
export CFLAGS="${CFLAGS} -fsanitize=address -O1 -g"
export LDFLAGS="${LDFLAGS} -fsanitize=address"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"

sed -i 's/CMAKE_CXX_STANDARD 11/CMAKE_CXX_STANDARD 17/g' CMakeLists.txt
sed -i 's/std::random/\/\/std::random/g' test/*.cpp

mkdir build && cd build
cmake .. -DBUILD_SHARED=OFF -DBUILD_MIXED=ON
make -j $(nproc)

Reproduction

Run the fuzzer with a crafted input file:

./fuzz_convert poc

Observed Behavior

Program crashes with ASan/UBSan report:

==1065864==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffe5603addc (pc 0x7f105d9cad24 bp 0x7ffd5603ad30 sp 0x7ffd5603a4d8 T0)
==1065864==The signal is caused by a READ memory access.
    #0 0x7f105d9cad24  (/lib/x86_64-linux-gnu/libc.so.6+0x1b3d24)
    #1 0x55cde4 in __interceptor_strncpy (/root/openbabel/build/bin/fuzz_convert+0x55cde4)
    #2 0x7c9a42 in OpenBabel::lowerit(char*) /root/openbabel/src/formats/PQSformat.cpp:84:13
    #3 0x7c9a42 in OpenBabel::PQSFormat::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) /root/openbabel/src/formats/PQSformat.cpp:200:9
    #4 0xea2211 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) /root/openbabel/src/obmolecformat.cpp:101:18
    #5 0x5b247b in OpenBabel::OBConversion::Convert() /root/openbabel/src/obconversion.cpp:542:30
    #6 0x5b140c in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) /root/openbabel/src/obconversion.cpp:478:17
    #7 0x5a5c18 in LLVMFuzzerTestOneInput /root/openbabel/test/fuzz/fuzz_convert.cpp:35:14
    #8 0x4d93b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/openbabel/build/bin/fuzz_convert+0x4d93b3)
...

Root Cause Analysis

The crash occurs because lowerit(char*) is called with a pointer that is either nullptr or not pointing to a valid, null-terminated buffer. This pointer originates in PQSFormat::ReadMolecule, where string parsing is performed without validating the result.

The attached file contains a proof-of-concept.
poc.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions