Allocate exactly one extra byte for cache-buffer NUL terminators

These fread buffers were over-allocated as size+4, a superstitious margin that never bought anything: every site writes a single trailing NUL at [size], so size+1 is exactly right. Trim them all to size+1. The proxytrack disk-fallback read in PT_ReadCache__New_u never wrote that NUL at all, unlike its sibling read paths in the same file; add the missing r->adr[r->size] = '\0' so the spare byte is actually used and the buffer is a valid C string. Signed-off-by: Xavier Roche <roche@httrack.com>
Merge pull request #358 from xroche/ci/asan-poison-fill
2026-06-15 14:53:57 +03:00 · 2026-06-15 09:30:34 +02:00 · 2026-06-15 09:19:04 +02:00 · 2026-06-15 09:16:48 +02:00 · 2026-06-15 09:07:37 +02:00
4 changed files with 17 additions and 8 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -171,8 +171,16 @@ jobs:
        # Leaks at exit are out of scope (the CLI frees little on the way out);
        # we want memory-safety errors, so turn leak detection off and make every
        # other finding abort the run.
+        #
+        # Poison fresh allocations with 0xCA and freed blocks with 0xCB (decimal
+        # 202/203) so memory never reads back as accidental zeros: a missing-NUL
+        # fread buffer then runs strlen off into the redzone instead of stopping
+        # at a lucky zero. Distinct bytes tell the two apart in a dump (0xCA =
+        # uninitialized, 0xCB = use-after-free). ASan caps its malloc fill at 4096
+        # bytes by default, so max_malloc_fill_size lifts it to cover large cache
+        # buffers; free_fill flags use-after-free reads.
        env:
-          ASAN_OPTIONS: detect_leaks=0:abort_on_error=1:halt_on_error=1:strict_string_checks=1
+          ASAN_OPTIONS: detect_leaks=0:abort_on_error=1:halt_on_error=1:strict_string_checks=1:malloc_fill_byte=202:max_malloc_fill_size=2147483647:free_fill_byte=203:max_free_fill_size=2147483647
          UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
        run: make check

--- a/src/htscache.c
+++ b/src/htscache.c
@@ -939,7 +939,7 @@ static htsblk cache_readex_new(httrackp * opt, cache_back * cache,
                  FILE *const fp = FOPEN(fconv(catbuff, sizeof(catbuff), previous_save), "rb");

                  if (fp != NULL) {
-                    r.adr = (char *) malloct((int) r.size + 4);
+                    r.adr = (char *) malloct((int) r.size + 1);
                    if (r.adr != NULL) {
                      if (r.size > 0
                          && fread(r.adr, 1, (int) r.size, fp) != r.size) {
@@ -966,7 +966,7 @@ static htsblk cache_readex_new(httrackp * opt, cache_back * cache,
              // Data in cache.
              else {
                // lire fichier (d'un coup)
-                r.adr = (char *) malloct((int) r.size + 4);
+                r.adr = (char *) malloct((int) r.size + 1);
                if (r.adr != NULL) {
                  if (unzReadCurrentFile((unzFile) cache->zipInput, r.adr, (int) r.size) != r.size) {   // erreur
                    freet(r.adr);
@@ -1246,7 +1246,7 @@ static htsblk cache_readex_old(httrackp * opt, cache_back * cache,
                    FILE *fp = FOPEN(fconv(catbuff, sizeof(catbuff), return_save), "rb");

                    if (fp != NULL) {
-                      r.adr = (char *) malloct((size_t) r.size + 4);
+                      r.adr = (char *) malloct((size_t) r.size + 1);
                      if (r.adr != NULL) {
                        if (r.size > 0
                            && fread(r.adr, 1, (size_t) r.size, fp) != r.size) {
@@ -1268,7 +1268,7 @@ static htsblk cache_readex_old(httrackp * opt, cache_back * cache,
                }
              } else {
                // lire fichier (d'un coup)
-                r.adr = (char *) malloct((size_t) r.size + 4);
+                r.adr = (char *) malloct((size_t) r.size + 1);
                if (r.adr != NULL) {
                  if (fread(r.adr, 1, (size_t) r.size, cache->olddat) != r.size) {      // erreur
                    freet(r.adr);
@@ -1371,7 +1371,7 @@ int cache_readdata(cache_back * cache, const char *str1, const char *str2,

        cache_rint(cache->olddat, &len);
        if (len > 0) {
-          char *mem_buff = (char *) malloct(len + 4);   /* Plus byte 0 */
+          char *mem_buff = (char *) malloct(len + 1); /* trailing \0 */

          if (mem_buff) {
            if (fread(mem_buff, 1, len, cache->olddat) == len) {        // lire tout (y compris statuscode etc)*/
--- a/src/htsindex.c
+++ b/src/htsindex.c
@@ -334,7 +334,7 @@ void index_finish(const char *indexpath, int mode) {
    if (fp_tmpproject) {
      tab = (char **) malloct(sizeof(char *) * (hts_primindex_size + 2));
      if (tab) {
-        blk = malloct(size + 4);
+        blk = malloct(size + 1);
        if (blk) {
          fseek(fp_tmpproject, 0, SEEK_SET);
          if ((INTsys) fread(blk, 1, size, fp_tmpproject) == size) {
--- a/src/proxy/store.c
+++ b/src/proxy/store.c
@@ -1162,7 +1162,7 @@ static PT_Element PT_ReadCache__New_u(PT_Index index_, const char *url,
                    FILE *fp = fopen(file_convert(catbuff, sizeof(catbuff), previous_save), "rb");

                    if (fp != NULL) {
-                      r->adr = (char *) malloc(r->size + 4);
+                      r->adr = (char *) malloc(r->size + 1);
                      if (r->adr != NULL) {
                        if (r->size > 0
                            && fread(r->adr, 1, r->size, fp) != r->size) {
@@ -1172,6 +1172,7 @@ static PT_Element PT_ReadCache__New_u(PT_Index index_, const char *url,
                          sprintf(r->msg, "Read error in cache disk data: %s",
                                  strerror(last_errno));
                        }
+                        r->adr[r->size] = '\0';
                      } else {
                        r->statuscode = STATUSCODE_INVALID;
                        strcpy(r->msg,
Author	SHA1	Message	Date
Xavier Roche	17fc54869d	Allocate exactly one extra byte for cache-buffer NUL terminators These fread buffers were over-allocated as size+4, a superstitious margin that never bought anything: every site writes a single trailing NUL at [size], so size+1 is exactly right. Trim them all to size+1. The proxytrack disk-fallback read in PT_ReadCache__New_u never wrote that NUL at all, unlike its sibling read paths in the same file; add the missing r->adr[r->size] = '\0' so the spare byte is actually used and the buffer is a valid C string. Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-15 09:30:34 +02:00
Xavier Roche	d2e43549d8	Merge pull request #358 from xroche/ci/asan-poison-fill ci: poison the ASan allocator to surface missing-NUL bugs	2026-06-15 09:19:04 +02:00
Xavier Roche	a9b16d96ea	ci: poison the ASan allocator to surface missing-NUL bugs Fill malloc'd and freed memory with 0xCA in the sanitize job so a buffer fread into without NUL termination, then used as a C string, runs off into the redzone instead of stopping at an accidental zero byte. ASan caps its malloc fill at the first 4096 bytes by default, which lets large cache buffers escape; max_malloc_fill_size lifts the cap. No rebuild, no source change -- purely the test environment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-15 09:16:48 +02:00
Xavier Roche	4ed828ff78	Merge pull request #357 from xroche/audit/fread-nul-termination Fix more un-NUL-terminated fread buffers used as C strings	2026-06-15 09:07:37 +02:00