NULL frame dereference in blosc2_schunk_avoid_cframe_free on in-memory schunk #699
Description
If a given blosc2_schunk has no frame (as in the provided testcase), blosc2_schunk_avoid_cframe_free will crash with a null dereference. Could be fixed with a simple null check.
testcase.cpp
#include <cstdint>
extern "C" {
#include "/fuzz/install/include/blosc2.h"
}
int main(){
// Default storage is in-memory (contiguous = false), so no frame is created
blosc2_storage st = blosc2_get_blosc2_storage_defaults();
blosc2_schunk* schunk = blosc2_schunk_new(&st);
if (!schunk) return 0;
// Crashes: implementation dereferences a NULL frame pointer
blosc2_schunk_avoid_cframe_free(schunk, true);
return 0;
}crash report
{
"Date": "2025-09-21T04:24:28.074170+00:00",
"Uname": "Linux eb1b587ca399 5.15.0-140-generic #150-Ubuntu SMP Sat Apr 12 06:00:09 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux",
"OS": "Ubuntu",
"OSRelease": "22.04",
"Architecture": "amd64",
"ExecutablePath": "/tmp/tmpbc_8t2vx/reproducer",
"ProcEnviron": [
"LIBAFL_EDGES_MAP_SIZE=800000",
"PWD=/fuzz/workspace",
"CXX=gf_libafl_cxx",
"GRAPHFUZZ_USE_ASAN=1",
"HOME=/root",
"ASAN_OPTIONS=hard_rss_limit_mb=1024:detect_leaks=0",
"TERM=xterm-256color",
"SHLVL=1",
"LD_LIBRARY_PATH=/fuzz/install/lib",
"PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"CC=gf_libafl_cc",
"DEBIAN_FRONTEND=noninteractive",
"OLDPWD=/fuzz/src",
"_=/usr/local/bin/agfi"
],
"ProcCmdline": "/tmp/tmpbc_8t2vx/reproducer",
"Stdin": "",
"ProcStatus": [],
"ProcMaps": [],
"ProcFiles": [],
"NetworkConnections": [],
"CrashSeverity": {
"Type": "PROBABLY_EXPLOITABLE",
"ShortDescription": "DestAvNearNull",
"Description": "Access violation near NULL on destination operand",
"Explanation": "The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference."
},
"Stacktrace": [
" #0 0x5555556bfc8a in frame_avoid_cframe_free /fuzz/src/blosc/frame.c:2028:28",
" #1 0x55555566b6bc in main /tmp/tmpbc_8t2vx/reproducer.cpp:11:3",
" #2 0x7ffff7a6dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #3 0x7ffff7a6de3f in __libc_start_main csu/../csu/libc-start.c:392:3",
" #4 0x5555555904d4 in _start (/tmp/tmpbc_8t2vx/reproducer+0x3c4d4) (BuildId: 7115500031453dd292167fe7935a82b53829c9e9)"
],
"Registers": {},
"Disassembly": [],
"Package": "",
"PackageVersion": "",
"PackageArchitecture": "",
"PackageDescription": "",
"AsanReport": [
"==155==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5555556bfc8a bp 0x000000000001 sp 0x7fffffffea60 T0)",
"==155==The signal is caused by a WRITE memory access.",
"==155==Hint: address points to the zero page.",
" #0 0x5555556bfc8a in frame_avoid_cframe_free /fuzz/src/blosc/frame.c:2028:28",
" #1 0x55555566b6bc in main /tmp/tmpbc_8t2vx/reproducer.cpp:11:3",
" #2 0x7ffff7a6dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #3 0x7ffff7a6de3f in __libc_start_main csu/../csu/libc-start.c:392:3",
" #4 0x5555555904d4 in _start (/tmp/tmpbc_8t2vx/reproducer+0x3c4d4) (BuildId: 7115500031453dd292167fe7935a82b53829c9e9)",
"",
"AddressSanitizer can not provide additional info.",
"SUMMARY: AddressSanitizer: SEGV /fuzz/src/blosc/frame.c:2028:28 in frame_avoid_cframe_free",
"==155==ABORTING"
],
"MsanReport": [],
"UbsanReport": [],
"LuaReport": [],
"PythonReport": [],
"GoReport": [],
"JavaReport": [],
"RustReport": [],
"JsReport": [],
"CSharpReport": [],
"CrashLine": "/fuzz/src/blosc/frame.c:2028:28",
"Source": [
" 2024 }",
" 2025 ",
" 2026 ",
" 2027 void frame_avoid_cframe_free(blosc2_frame_s* frame, bool avoid_cframe_free) {",
"--->2028 frame->avoid_cframe_free = avoid_cframe_free;",
" 2029 }",
" 2030 ",
" 2031 ",
" 2032 struct csize_idx {",
" 2033 int32_t val;"
]
}