Environment
- OS: Ubuntu 22.04
- Compiler: clang 13.0.1
- Sanitizers: AddressSanitizer (ASan) + UndefinedBehaviorSanitizer (UBSan)
Build Instructions
export CC=clang-13
export CXX=clang++-13
export CXXFLAGS="${CXXFLAGS} -std=c++17 -stdlib=libstdc++ -fsanitize=address -O1 -g"
export CFLAGS="${CFLAGS} -fsanitize=address -O1 -g"
export LDFLAGS="${LDFLAGS} -fsanitize=address"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
sed -i 's/CMAKE_CXX_STANDARD 11/CMAKE_CXX_STANDARD 17/g' CMakeLists.txt
sed -i 's/std::random/\/\/std::random/g' test/*.cpp
mkdir build && cd build
cmake .. -DBUILD_SHARED=OFF -DBUILD_MIXED=ON
make -j $(nproc)
Reproduction
Run the fuzzer with a crafted input file:
Observed Behavior
Program crashes with ASan/UBSan report:
==1087333==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000374 at pc 0x000000615730 bp 0x7ffecdfd1810 sp 0x7ffecdfd1808
READ of size 4 at 0x602000000374 thread T0
#0 0x61572f in OpenBabel::OBSmilesParser::ParseSmiles(OpenBabel::OBMol&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/openbabel/src/formats/smilesformat.cpp:568:20
#1 0x6110a9 in OpenBabel::OBSmilesParser::SmiToMol(OpenBabel::OBMol&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/openbabel/src/formats/smilesformat.cpp:394:10
#2 0x61075c in OpenBabel::SMIBaseFormat::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) /root/openbabel/src/formats/smilesformat.cpp:380:15
#3 0xea2211 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) /root/openbabel/src/obmolecformat.cpp:101:18
#4 0x5b247b in OpenBabel::OBConversion::Convert() /root/openbabel/src/obconversion.cpp:542:30
#5 0x5b140c in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) /root/openbabel/src/obconversion.cpp:478:17
#6 0x5a5c18 in LLVMFuzzerTestOneInput /root/openbabel/test/fuzz/fuzz_convert.cpp:35:14
...
Root Cause Analysis
A heap-buffer-overflow occurs in OpenBabel::OBSmilesParser::ParseSmiles when parsing certain malformed SMILES input. The crash is triggered by an out-of-bounds read on a dynamically allocated vector during parsing.
The attached file contains a proof-of-concept.
poc.zip
Environment
Build Instructions
Reproduction
Run the fuzzer with a crafted input file:
Observed Behavior
Program crashes with ASan/UBSan report:
Root Cause Analysis
A heap-buffer-overflow occurs in OpenBabel::OBSmilesParser::ParseSmiles when parsing certain malformed SMILES input. The crash is triggered by an out-of-bounds read on a dynamically allocated vector during parsing.
The attached file contains a proof-of-concept.
poc.zip