Libfuzzer: "member access within null pointer of type 'blosc2_stdio_file'"

[swirsz]

Compiling source from github on January 6, 2022, detected via Libfuzzer:

./decompress_frame_fuzzer crash-343.txt

crash-343.txt

/src/c-blosc2/blosc/blosc2-stdio.c:47:21: runtime error: member access within null pointer of type 'blosc2_stdio_file'

Address sanitizer report:

---

Running: crash-343.txt
AddressSanitizer:DEADLYSIGNAL

==372522==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005ca43c bp 0x7ffff2edf8b0 sp 0x7ffff2edf8b0 T0)
==372522==The signal is caused by a READ memory access.
==372522==Hint: address points to the zero page.
#0 0x5ca43c in blosc2_stdio_seek /src/c-blosc2/blosc/blosc2-stdio.c:47:21
#1 0x5745a5 in blosc_d /src/c-blosc2/blosc/blosc2.c:1442:7
#2 0x566db7 in serial_blosc /src/c-blosc2/blosc/blosc2.c:1738:16
#3 0x566db7 in do_job /src/c-blosc2/blosc/blosc2.c:1903:15
#4 0x56df8c in blosc_run_decompression_with_context /src/c-blosc2/blosc/blosc2.c:2546:13
#5 0x56e3dc in blosc2_decompress_ctx /src/c-blosc2/blosc/blosc2.c:2566:12
#6 0x5b5a41 in frame_decompress_chunk /src/c-blosc2/blosc/frame.c:3377:24
#7 0x58fdf6 in blosc2_schunk_decompress_chunk /src/c-blosc2/blosc/schunk.c:991:17
#8 0x55e4f6 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_frame.c:37:15
#9 0x455353 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#10 0x440f92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#11 0x4467ec in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) cxa_noexception.cpp
#12 0x46f5f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#13 0x7f688dd210b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x41f74d in _start (/home/sw/oss-fuzz-master/build/out/c-blosc2/decompress_frame_fuzzer+0x41f74d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/c-blosc2/blosc/blosc2-stdio.c:47:21 in blosc2_stdio_seek

[FrancescAlted]

Thanks for reporting. Any chance you can provide a fix? Thanks!

[swirsz]

int blosc2_stdio_seek(void *stream, int64_t offset, int whence) {
blosc2_stdio_file *my_fp = (blosc2_stdio_file *) stream;
int rc;
#if defined(_MSC_VER) && (_MSC_VER >= 1400)
rc = _fseeki64(my_fp->file, offset, whence);
#else
rc = fseek(my_fp->file, (long) offset, whence);
#endif
return rc;
}

47:21 is line rc = fseek(my_fp->file, (long) offset, whence);

UBSan shows the "my_fp->file" as an access within null pointer of type 'blosc2_stdio_file'.

Since this is fuzzer data, we expect it to be random and incorrect. It appears that blosc_d() is hitting BLOSC2_ERROR_INVALID_PARAM; & BLOSC_TRACE_ERROR("Error getting the input/output API"); before it calls blosc2_stdio_seek() with apparently invalid *stream data. I'm not certain about the best patch to solve this problem, but possibly something that detects invalid data and stops execution before blosc2_stdio_seek is called?

[FrancescAlted]

I have had another look at this, and now we check that open is succeeding before the seek (4460dfe). Not sure if that would fix the issue with fuzzer, but it should help.