Open Babel Use-After-Free Vulnerability in GAMESS Output Format Parsing

A heap-use-after-free vulnerability has been identified in Open Babel versions through 3.1.1. The issue arises in the GAMESSOutputFormat::ReadMolecule function within gamessformat.cpp. When the parser processes GAMESS output files, it tokenizes the input and converts a token to an integer using atoi. However, the token buffer is freed after being cleared, leaving a dangling pointer that can be exploited. This vulnerability requires local access to exploit and has a public proof-of-concept available.

Impact

Exploitation of this vulnerability leads to a heap-use-after-free condition, which can cause memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling Open Babel with AddressSanitizer and UndefinedBehaviorSanitizer enabled. After compiling the program, the fuzzer can be run with a crafted input file that triggers the use-after-free condition. The program will crash, and the AddressSanitizer will report the use-after-free error, indicating that the vulnerability has been successfully exploited.