bamtools crashes/corrupts output data on s390x #235
Description
The issue was detected in Ubuntu autopkgtests. The call to bamtools revert -in sam_spec_example.bam -out out.bam fails due to the buffer overflow detected[1] with the following stack trace:
(gdb) where
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x000003fff789fd56 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x000003fff784ba90 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x000003fff782b4cc in __GI_abort () at abort.c:79
#4 0x000003fff78921f8 in __libc_message_impl (fmt=fmt@entry=0x3fff79a428e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:132
#5 0x000003fff792a50c in __GI___fortify_fail (msg=msg@entry=0x3fff79a424a "buffer overflow detected") at fortify_fail.c:24
#6 0x000003fff7929d38 in __GI___chk_fail () at chk_fail.c:28
#7 0x000003fff792adae in __GI___memcpy_chk (dstpp=dstpp@entry=0x2aa000ab261, srcpp=srcpp@entry=0x3ffffff99b4, len=len@entry=4, dstlen=dstlen@entry=3) at memcpy_chk.c:27
#8 0x000003fff7e2b6ba in memcpy (__len=4, __src=0x3ffffff99b4, __dest=0x2aa000ab261) at /usr/include/s390x-linux-gnu/bits/string_fortified.h:29
#9 BamTools::SwapEndian_32p (data=0x2aa000ab261 "") at /usr/src/bamtools-2.5.2+dfsg-5/src/api/BamAux.h:229
#10 BamTools::Internal::BamWriterPrivate::WriteAlignment (this=0x2aa000890d0, al=...) at /usr/src/bamtools-2.5.2+dfsg-5/src/api/internal/bam/BamWriter_p.cpp:353
#11 0x000003fff7e1445c in BamTools::Internal::BamWriterPrivate::SaveAlignment (al=..., this=0x2aa000890d0) at /usr/src/bamtools-2.5.2+dfsg-5/src/api/internal/bam/BamWriter_p.cpp:263
#12 BamTools::BamWriter::SaveAlignment (this=<optimized out>, alignment=...) at /usr/src/bamtools-2.5.2+dfsg-5/src/api/BamWriter.cpp:131
#13 0x000002aa00035f08 in BamTools::RevertTool::RevertToolPrivate::Run() ()
#14 0x000002aa0003e3fe in BamTools::RevertTool::Run(int, char**) ()
#15 0x000002aa0001017a in main ()
(gdb) print i
$1 = 17
This is due to the write loop in src/api/internal/bam/BamWriter_p.cpp using single byte instead of sizeof(uint32_t) increment to swap bytes in the integer data.
The output file on s390x is corrupted by the write operation.
bamtools crash with the hardening flags enabled.