Invalid Address Deference in function file_type in tabix.c

[wcventure]

Hi,

We found an Invalid Address Deference problem in function elf_end in libelf of the latest htslib code base. I have confirmed them with Address Sanitizer, too.

Here are the POC files. Please use " ./tabix $POC " to reproduce this bug.
POC.zip

The ASAN dumps the stack trace as follows:

ASAN:DEADLYSIGNAL
=================================================================
==14393==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc 0x0000004ecd16 bp 0x7fff191771f0 sp 0x7fff191771a0 T0)
    #0 0x4ecd15 in file_type htslib_new/tabix.c:82:45
    #1 0x4f0be3 in main htslib_new/tabix.c:473:17
    #2 0x7fbb4dbf582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a928 in _start (htslib_new/build/bin/tabix+0x41a928)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV htslib_new/tabix.c:82:45 in file_type
==14393==ABORTING

[wcventure]

This bug was discovered by NTU Cyber-Security-Lab. If you have any questions, please let me know.

[daviesrob]

Thanks for the report.

PR #811 should fix this. As far as I can tell the problem would happen on any file where tabix couldn't detect the format, and also on files that fail to open for some reason. Given how likely it is to happen, I'm surprised that there aren't many more issues about this. I guess most people only run tabix on files that it understands....