#40 Segmentation Fault (122030138)

[Google-Autofuzz]

Hello InChI team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.04, September 2011).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_122030138.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-InChI-122030138 autofuzz_122030138
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_122030138/poc-4e7731f2b676fc5f6e7e3e6d734ba280a82ab69c6a1c234a6d55c892558b0ac6_min:/tmp/poc autofuzz-InChI-122030138 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_122030138/poc-4e7731f2b676fc5f6e7e3e6d734ba280a82ab69c6a1c234a6d55c892558b0ac6_min:/tmp/poc -it autofuzz-InChI-122030138

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

INFO: Seed: 4072674517
INFO: Loaded 0 modules (0 guards): 
/fuzzing/fuzzer: Running 1 inputs 500 time(s) each.
Running: /tmp/poc-4e7731f2b676fc5f6e7e3e6d734ba280a82ab69c6a1c234a6d55c892558b0ac6
ASAN:DEADLYSIGNAL
=================================================================
==6==ERROR: AddressSanitizer: SEGV on unknown address 0x0000fffffff0 (pc 0x00000042a76f bp 0x0000fffffff0 sp 0x7ffea66091a0 T0)
==6==The signal is caused by a WRITE memory access.
    #0 0x42a76e in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/fuzzing/fuzzer+0x42a76e)
    #1 0x4ddf1c in __interceptor_cfree.localalias.0 (/fuzzing/fuzzer+0x4ddf1c)
    #2 0x6b2423 in free_t_group_info /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichitaut.c:4008:13
    #3 0x6b24bb in make_a_copy_of_t_group_info /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichitaut.c:4027:5
    #4 0x6032d0 in Create_INChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimake.c:3039:13
    #5 0x6fe754 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr1.c:4411:14
    #6 0x6ce8a7 in RestoreAtomMakeBNS /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2633:15
    #7 0x6cfd48 in OneInChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2840:11
    #8 0x67e7fc in InChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:131:11
    #9 0x681407 in AllInchiToStructure /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:787:23
    #10 0x659c40 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:929:23
    #11 0x543f6e in GetStructFromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:2293:16
    #12 0x518759 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
    #13 0x523ede in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x523ede)
    #14 0x51903e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x51903e)
    #15 0x51d547 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x51d547)
    #16 0x518d5b in main (/fuzzing/fuzzer+0x518d5b)
    #17 0x7f117699e2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #18 0x41ff89 in _start (/fuzzing/fuzzer+0x41ff89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/fuzzer+0x42a76e) in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==6==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team