Shift operation causing undefined-behavior in function hash()

[skorpion98]

Describe the bug

We found an undefined-behavior caused by a left shift operation in function hash()

clamav/libclamav/yara_hash.c

Line 83 in 19b25ce

result ^= ROTATE_INT32(byte_to_int32[*buffer], i);

after testing one of the harnesses provided on the OSS-Fuzz repository (clamav_dbload_YARA_fuzzer).
More specifically, the program performs a shift with exponent 32 on an uint8_t array element and attempts to store the result in a variable of type uint32_t, but the result cannot be represented by the destination type.

How to reproduce the problem

In the attached archive you will find:

• the executable on which we performed our tests
• the input file that caused the bug
• the output of ASan confirming our finding

To reproduce the error, simply run the given binary with the testcase files with a command like: ./clamav_dbload_YARA_fuzzer /path_to_testcases/input

The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=undefined.

The hash commit used to perform the tests is 25ca17b

Environment

• OS: Linux
• Version/Distribution: Ubuntu 20.04
• Architecture: x86_64