Fix possible 1 byte underflow in find_file_extension() (#1840)

daviesrob · web-flow · commit 077cf7021b27 · 2024-09-23T15:33:59.000+01:00
When checking for another delimiter before .gz or .bgz, the
pointer into the string was decremented without checking to
see if was at the start.  This could lead to a one byte read
before the start of the string when copying out the delimiter.

Credit to OSS_Fuzz
Fixes oss-fuzz id 71740
diff --git a/hts_internal.h b/hts_internal.h
@@ -129,7 +129,7 @@ static inline int find_file_extension(const char *fn, char ext_out[static HTS_MA
     if (!fn) return -1;
     if (!delim) delim = fn + strlen(fn);
     for (ext = delim; ext > fn && *ext != '.' && *ext != '/'; --ext) {}
-    if (*ext == '.' &&
+    if (*ext == '.' && ext > fn &&
         ((delim - ext == 3 && ext[1] == 'g' && ext[2] == 'z') || // permit .sam.gz as a valid file extension
         (delim - ext == 4 && ext[1] == 'b' && ext[2] == 'g' && ext[3] == 'z'))) // permit .vcf.bgz as a valid file extension
     {

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ static inline int find_file_extension(const char *fn, char ext_out[static HTS_MA`
`129`	`129`	`if (!fn) return -1;`
`130`	`130`	`if (!delim) delim = fn + strlen(fn);`
`131`	`131`	`for (ext = delim; ext > fn && ext != '.' && ext != '/'; --ext) {}`
`132`		`- if (*ext == '.' &&`
	`132`	`+ if (*ext == '.' && ext > fn &&`
`133`	`133`	`((delim - ext == 3 && ext[1] == 'g' && ext[2] == 'z') \|\| // permit .sam.gz as a valid file extension`
`134`	`134`	`(delim - ext == 4 && ext[1] == 'b' && ext[2] == 'g' && ext[3] == 'z'))) // permit .vcf.bgz as a valid file extension`
`135`	`135`	`{`