Affected versions of bam
set the length of an internal buffer using
self.compressed.set_len(block_size - HEADER_SIZE - MIN_EXTRA_SIZE)
and then
wrote into it. While block_size
was constrained to a proper maximum, when it
was too small the subtraction could overflow negatively to a large number past
the capacity of self.compressed
.
This can result in memory corruption in the form of writing out of bounds when
loading a bgzip
file with a small block_size
.
Commit 061eee38d4
fixed this issue by checking for the underflow when setting
the buffer size.
{ "license": "CC0-1.0" }